"Diego R. Lopez" wrote:
>
> Hi,
>
> We have found what seems an error in the X509_check_issued() function
> inside crypto/x509v3/v3_purp.c
> At the end of the checks the routine makes for deciding whether a certain
> certificate issued a second one, there is a comparison between
> the name found inside the Authority Key Identifier of the candidate
> subject certificate and the ISSUER NAME of the candidate issuer certificate.
> Since this check always fails, the certificate chain procedure that
> uses this routine is always aborted whenever a candidate subject certificate
> with Authority Key Identifier and a candidate issuer certificate that is
> not self-signed are tested. This means that the certificate verification
> procedures always fail in that case.
>
> We think that the correct comparison would be between the name found inside
> the Authority Key Identifier of the candidate subject certificate and the
> SUBJECT NAME of the candidate issuer.
>
OpenSSLs behaviour is correct.
A standard property of certificates is that the issuer name and serial
number must be unique.
The Authority Key Identifier extension is used as a means of uniquely
identifying the issuing authority. One way it does this is to use the
issuer name and serial number of the issuing authority.
The subject name of the issuer certificate is already available in the
issuer name of the subject certificate. If merely used this then it
would be duplicating information.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
