All I know, is that MS Windows 2000 SP3 consider the chain broken, it links
the EndUser Cert with the ROOT CERT, and since the issuer of the EndUser
Cert is not ROOT CA, badaboum, unusable certificate.
When authorityKeyId=keyid, it works, when authorityKeyId=keyid, issuer ->
doesn't work.
So I compiled openssl with the changement I proposed and it works fine, the
cert chain is validated by windows.
I'm sorry but when we talk about the issuer of the EndUser Cert, we talk
about INTERMEDIATE CA, not ROOT CA.
Tell me what DN would contained the authorityKeyId's issuer if I had a 3
levels architecture ?
That's a non sense.
----- Original Message -----
From: "Richard Levitte - VMS Whacker via RT" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, October 31, 2002 11:07 PM
Subject: Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ?
>
> In message <[EMAIL PROTECTED]> on Thu, 31 Oct 2002
22:44:33 +0100 (MET), "Frédéric Giudicelli via RT" <[EMAIL PROTECTED]> said:
>
> rt> The "authorityKeyIdentifier" extension seems to behave weirdly...
> rt>
> rt> I have a two level CA architecture:
> rt> ROOT CA
> rt> INTERMEDIATE CA
> rt> For both CA:
> rt> authorityKeyIdentifier = keyid,issuer:always
> rt>
> rt> ROOT CA's authorityKeyIdentifier extension gives its own DN as issuer
(normal)
> rt> INTERMEDIATE CA's authorityKeyIdentifier extension gives ROOT CA's DN
as issuer (normal)
> rt> A certificate signed by INTERMEDIATE CA, gives ROOT CA's DN as issuer
(not normal), shouldn't it be INTERMEDIATE CA's DN ? since the issuer of
this certificate is INTERMEDIATE CA and not ROOT CA.
> rt>
> rt> So I looked at the source code, and I found:
> rt>
> rt> crypto/x509v3/v3_akey.c:144
> rt>
> rt> cert = ctx->issuer_cert;
> rt> ...
> rt> if((issuer && !ikeyid) || (issuer == 2)) {
> rt> isname = X509_NAME_dup(X509_get_issuer_name(cert));
> rt>
> rt> So "cert" contains the issuer certificate, and we copy the "cert"'s
issuer DN, and not his DN ????
> rt> isname = X509_NAME_dup(X509_get_subject_name(cert)); would be more
proper no ?
>
> You entirely missed the line following what you show:
>
> serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
>
> and how those two variables. Think about it, how are certificates
> refered to? You can refer to it by subject, which is inprecise, since
> it doesn't specify *one*specific* certificate. The other way is to
> refer to it with issuer and serial number, which should match exactly
> one and only one certificate (unless the issuer has fucked up the
> serial number sequencer).
>
> So, what is stored in the authorityKeyId extension is the issuer and
> serial number of the intermediate CA, which refers to one specific
> certificate that belongs to that intermediate CA, as well as the key
> ID.
>
> This is not an error.
>
> --
> Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
> Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
> \ SWEDEN \ or +46-708-26 53 44
> Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
>
> Unsolicited commercial email is subject to an archival fee of $400.
> See <http://www.stacken.kth.se/~levitte/mail/> for more info.
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
