Michael Bell wrote: > > Dr S N Henson schrieb: > > > > Michael Bell wrote: > > > > > > Hi, > > > > > > I found a bug in openssl ca. If you set authorityKeyIdentifier to > > > keyid and issuer always then the keyid will be set correctly but the > > > issuer is wrong. > > > > > > Example: > > > > > > Root-CA --> Sub-Level 1 CA --> Sub-Level 2 CA --> User > > > > > > If I issue a certificate for a user then the issuer of the CA-cert > > > is the DN of the Root-CA. > > > > > > > What do you mean here? Are you saying that the authorityKeyIdentifier in > > Sub-Level 2 CA issuer name is the root CA? If so that's correct because > > its telling you the issuer and serial number of the CA that issued it. > > If the new cert is for a user then the authorityKeyIdentifier issuer > must be the DN from Sub-Level 1 CA but the DN is from the Root-CA. > > The issuer of the CA-certificate of Sub-Level 2 CA is the Sub-Level 1 > CA. The issuer and serial number of the CA that issued the Sublevel 1 CA > must be from Sublevel 2 CA but OpenSSL use the DN of the Root-CA for the > issuer. >
I can't see how that can happen. The ca command only passes the issuing CA certificate to the extension routines. It does not have access to any other CA certificate. It fills in the authority key identifier by extracting the issuer name of that issuing authority and its serial number. Is the issuer name of the CA correct? If there's nothing obviously wrong can you send me an example of a user certificate exhibiting this behaviour and all the CA certificates too? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]