Thank you for the correction. Obviously the the authorityCertIssuer must correspond to the authorityCertSerialNumber. Please close this ticket.
On 9/13/2012 4:40 AM, Erwann Abalea via RT wrote: > Bonjour, > > The goal of this function is to determine if a given > authorityKeyIdentifier extension matches an issuer certificate > (issuer=authority). > > The AKI extension can contain 3 elements: > - keyIdentifier > - authorityCertIssuer > - authorityCertSerialNumber > > (X.509 mandates that the last 2 MUST be present together, this > constraint is not mentioned in RFC5280) > > The first element is to be compared with the issuer's > subjectKeyIdentifier, is present. > > The 2nd and 3rd element are to be compared with the issuer's issuerName > and issuer' serialNumber, respectively. > They are here to uniquely identify a certificate, and a certificate is > uniquely identified by its issuer's name and its own serial number. > > Therefore the fix is incorrect. If you've got a certificate chain that > doesn't validate the AKI with the last 2 elements, it surely means your > certificates are improperly constructed. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org