Error in v3_purp.c

Diego R. Lopez Tue, 25 Sep 2001 02:15:48 -0700

Hi,

We have found what seems an error in the X509_check_issued() function
inside crypto/x509v3/v3_purp.c
At the end of the checks the routine makes for deciding whether a certain
certificate issued a second one, there is a comparison between
the name found inside the Authority Key Identifier of the candidate
subject certificate and the ISSUER NAME of the candidate issuer certificate.
Since this check always fails, the certificate chain procedure that
uses this routine is always aborted whenever a candidate subject certificate
with Authority Key Identifier and a candidate issuer certificate that is
not self-signed are tested. This means that the certificate verification
procedures always fail in that case.

We think that the correct comparison would be between the name found inside
the Authority Key Identifier of the candidate subject certificate and the
SUBJECT NAME of the candidate issuer.

In terms of code this means applying the following patch:

*** v3_purp.c.orig      Wed Sep 12 16:22:41 2001
--- v3_purp.c   Wed Sep 12 16:22:53 2001
***************
*** 525,531 ****
                                        break;
                                }
                        }
!                       if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
                }
        }
--- 525,531 ----
                                        break;
                                }
                        }
!                       if(nm && X509_NAME_cmp(nm, X509_get_subject_name(issuer)))
                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
                }
        }

If you want to test this, I am sending attached a tar file that contains
a set of certificate chains you may use for it. In the three cases you should
verify the certificate in "wwwBYirisCA.pem", using as CApath the three
different directories. Without the patch we suggest only
/usr/local/openssl/bin/openssl verify -CApath short wwwBYirisCA.pem
succeeds, while both
/usr/local/openssl/bin/openssl verify -CApath long wwwBYirisCA.pem
and
/usr/local/openssl/bin/openssl verify -CApath diffSerialNum wwwBYirisCA.pem
fail

Applying our patch, both
/usr/local/openssl/bin/openssl verify -CApath short wwwBYirisCA.pem
and
/usr/local/openssl/bin/openssl verify -CApath long wwwBYirisCA.pem
succeed, while
/usr/local/openssl/bin/openssl verify -CApath diffSerialNum wwwBYirisCA.pem
fails, since the certificate chains contain different serial numbers.

Best regards,

verifyTest.tgz

"Esta vez no fallaremos, Doctor Infierno"

Diego R. Lopez
[EMAIL PROTECTED]

RedIRIS
The Spanish NREN
Tl: +34 955 056 621
-----------------------------------------

Error in v3_purp.c

Reply via email to