OpenSSL Versions: 0.9.7l and 0.9.8i (but I believe this effects all
version with proxy certificate support)
Description:
RFC 3820, section 4.1.3, Basic Proxy Certificate Processing, step a.4
gives the following requirement when validating a proxy certificate:
The certificate subject name is the working_issuer_name with a CN
component appended.
OpenSSL is not currently enforcing this. So, for example if I have an
end entity certificate with a subject DN of
/DC=org/DC=example/CN=chad
I can use this certificate to create a proxy certificate with the
following DN
/DC=org/DC=example/CN=john/CN=foo
Note that the second DN does not contain the first one plus an addition CN
This could be used to create a proxy certificate that impersonates
another user.
Here are the commands I used to create the proxy cert, assuming the end
entity cert, key, and trust chain are eecert.pem, eekey.pem, and
eetrust.pem, respectively.
openssl req -new -nodes -keyout proxy.key -newkey rsa:1024 \
-subj "/DC=org/DC=example/CN=john/CN=foo" > proxy.csr
openssl x509 -CA ~/.pki/eecert.pem -CAkey ~/.pki/eekey.pem \
-req -in proxy.csr -md5 -days 7 -set_serial 0xcafebabe01 \
-extfile proxy_openssl.cnf -extensions proxy_ext > proxy.crt
The openssl conf file referenced above contains the following lines,
used to add the required proxy cert extensions:
[proxy_ext]
proxyCertInfo=critical,language:id-ppl-anyLanguage
The verify command that I use is as follows. The eetrust.pem contains
the end entity cert, so that the chain from the proxy to the root is
complete:
OPENSSL_ALLOW_PROXY_CERTS=1 openssl verify -purpose sslclient \
-CAfile ca_root.pem -untrusted eetrust.pem proxy.crt
The result of this command is:
proxy.crt: OK
I wish I could provide a patch but my C/C++ programming skills are far
less than stellar. If I can provide more information about the problem
though, just let me know.
Thanks.
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[email protected], http://www.switch.ch
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
