Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ?

Thu, 31 Oct 2002 14:11:48 -0800 

In message <[EMAIL PROTECTED]> on Thu, 31 Oct 2002 22:44:33 
+0100 (MET), "Frédéric Giudicelli via RT" <[EMAIL PROTECTED]> said:

rt> The "authorityKeyIdentifier" extension seems to behave weirdly...
rt> 
rt> I have a two level CA architecture:
rt>     ROOT CA
rt>     INTERMEDIATE CA
rt> For both CA:
rt> authorityKeyIdentifier = keyid,issuer:always
rt> 
rt> ROOT CA's authorityKeyIdentifier extension gives its own DN as issuer (normal)
rt> INTERMEDIATE CA's authorityKeyIdentifier extension gives ROOT CA's DN as issuer 
(normal)
rt> A certificate signed by INTERMEDIATE CA, gives ROOT CA's DN as issuer (not 
normal), shouldn't it be INTERMEDIATE CA's DN ? since the issuer of this certificate 
is INTERMEDIATE CA and not ROOT CA.
rt> 
rt> So I looked at the source code, and I found:
rt> 
rt> crypto/x509v3/v3_akey.c:144
rt> 
rt> cert = ctx->issuer_cert;
rt> ...
rt> if((issuer && !ikeyid) || (issuer == 2)) {
rt>  isname = X509_NAME_dup(X509_get_issuer_name(cert));
rt> 
rt> So "cert" contains the issuer certificate, and we copy the "cert"'s issuer DN, and 
not his DN ????
rt>  isname = X509_NAME_dup(X509_get_subject_name(cert)); would be more proper no ?

You entirely missed the line following what you show:

        serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));

and how those two variables.  Think about it, how are certificates
refered to?  You can refer to it by subject, which is inprecise, since
it doesn't specify *one*specific* certificate.  The other way is to
refer to it with issuer and serial number, which should match exactly
one and only one certificate (unless the issuer has fucked up the
serial number sequencer).

So, what is stored in the authorityKeyId extension is the issuer and
serial number of the intermediate CA, which refers to one specific
certificate that belongs to that intermediate CA, as well as the key
ID.

This is not an error.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to