[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    [openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v
From:       "John Lofgren via RT" <rt () openssl ! org>
Date:       2015-05-30 7:48:43
Message-ID: rt-4.0.4-5720-1432972122-1127.3886-21-0 () openssl ! org
[Download RAW message or body]

I believe I have pinpointed a typo-error that may be the cause of one or
two other outstanding bugs related to certificate chain validation. This
bug only occurs in a chain of certs at least 3 deep when the certs use
the X509v3 Authority Key Identifier extension.

I am attaching a chain of 3 certs that verifies using the Windows
Certificate Manager, but fails to verify in versions 1.0.1, 1.0.1c and
1.0.1m.

Example failure command:
openssl verify -CAfile openssl-verify-chain-bug-CA.crt -untrusted
openssl-verify-chain-bug-IM-CA.crt openssl-verify-chain-bug-CS.crt

If have also provided a one line patch to crypto/x509v3/v3_purp.c. I
believe the error is due to a simple typo. The function X509_check_akid()
is meant to compare the keyID, serial number, and issuer name between a
cert and its issuer cert. The keyID and serial number compares are working
correctly. However, when comparing the issuer name, instead of comparing
the cert's issuer name to the issuer cert's subject name, it is comparing
to the issuer cert's *issuer* name.  i.e. instead of comparing to the
parent name, it is comparing to the grandparent name.

John Lofgren


["openssl_bug.zip" (application/zip)]

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


[prev in list] [next in list] [prev in thread] [next in thread]