Thank you for the correction. Obviously the the authorityCertIssuer
must correspond to the authorityCertSerialNumber. Please close this ticket.
On 9/13/2012 4:40 AM, Erwann Abalea via RT wrote:
Bonjour,
The goal of this function is to determine if a given
authorityKeyIdentifier extension matches an issuer certificate
(issuer=authority).
The AKI extension can contain 3 elements:
- keyIdentifier
- authorityCertIssuer
- authorityCertSerialNumber
(X.509 mandates that the last 2 MUST be present together, this
constraint is not mentioned in RFC5280)
The first element is to be compared with the issuer's
subjectKeyIdentifier, is present.
The 2nd and 3rd element are to be compared with the issuer's issuerName
and issuer' serialNumber, respectively.
They are here to uniquely identify a certificate, and a certificate is
uniquely identified by its issuer's name and its own serial number.
Therefore the fix is incorrect. If you've got a certificate chain that
doesn't validate the AKI with the last 2 elements, it surely means your
certificates are improperly constructed.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
