Not sure why this bug was closed. Is more information needed? This is a real bug in the akey module.
-- Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of OpenSSL-Bugs Sent: Friday, February 10, 2006 5:39 PM To: [EMAIL PROTECTED] Subject: [openssl.org #1282] AutoReply: error setting AuthorityKeyIdentifier Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding: "error setting AuthorityKeyIdentifier", a summary of which appears below. There is no need to reply to this message right now. Your ticket has been assigned an ID of [openssl.org #1282]. Please include the string: [openssl.org #1282] in the subject line of all future correspondence about this issue. To do so, you may reply to this message. Also, please note that all attachments to your message have been stored in the database, but are not included in any outgoing mail. Thank you, ------------------------------------------------------------------------- Hello, I am doing some interop testing with a toolkit that performs PKIX certificate verification and it is having a problem validating a chain I built with OpenSSL. What appears to be happening is that when 'ca' copies in the authority key information into the client certificate, it is pulling in the CA subject from my root CA instead of my intermediate CA (marked *wrong* below). If you look at the following chain (leaf->intermediate->root CA), you will notice the subject key/authority keys are correct. The authority serial numbers are correct. But, the leaf certificate has the rootCA's subject DN. It should be the intermediate CA's subject DN. Certchain entry: 0 certsubject cn=mirage,ou=QA,o=myCompany,l=Denver,st=Colorado,c=US serial# = 59 i = cn=seclab server CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US ** ski = 40:AE:D1:37:02:03:D6:BE:BB:D2:E3:31:CD:5A:D3:E4:43:FE:BF:BB ** aki = KeyIdentifier: 13:0E:DE:A8:99:B4:71:D6:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E AuthorityCertIssuer: directoryName: cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US ***wrong*, the issuer is seclab server ca, not root!!*** AuthorityCertSerialNumber: 1 Certchain entry: 1 certsubject cn=seclab server CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US serial# = 1 i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US ** ski = 13:0E:DE:A8:99:B4:71:D6:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E ** aki = KeyIdentifier: 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A AuthorityCertIssuer: directoryName: cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US AuthorityCertSerialNumber: 99dd8a982ee608fe Certchain entry: 2 certsubject cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US serial# = 11087170243882518782 i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US ** ski = 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A ** aki = KeyIdentifier: 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A AuthorityCertIssuer: directoryName: cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US AuthorityCertSerialNumber: 99dd8a982ee608fe I believe the problem is in the v3_akey.c module. You are copying the subject name of the issuer's issuer, not the issuer itself. This has no impact with a single layer hierarchy but breaks when you have an intermediate CA. if((issuer && !ikeyid) || (issuer == 2)) { # this should be X509_get_subject_name isname = X509_NAME_dup(X509_get_issuer_name(cert)); serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert)); -- Tim [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
