I posted this test case for function X509_check_akid() on the openssl-users mailing list, but got no reaction, therefore I'm submitting it now as a defect for triaging.
Test case: 1) Certificate that has an Authority Key Identifier extension (save as file "testcert.pem"): -----BEGIN CERTIFICATE----- MIIBvzCCASigAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0 IENBMB4XDTE0MDUwMjA5MDI1OFoXDTE0MDYwMTA5MDI1OFowFDESMBAGA1UEAwwJ VGVzdCBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCwnv66JvZTVaf Z3tqMo5od80yv9J0rxUMlAPXFiRM3P/JgDjW5NVIt2Ryaqwd7qZFN1f0HpcQAM5m SJsQpi8ZxbfGB9BIt7SgRuKdj5ntDX1WJ84gl4C8R2t75B8d0WrJBJUYL2XCOEnu S0RpfxvLZryH8Pr48Wp8NM6gONAjgQIDAQABoyMwITAfBgNVHSMEGDAWgBQLHOwh WWaA9y49g7bt77DLa5/RKjANBgkqhkiG9w0BAQsFAAOBgQB7Md75mT3aHcR1vyf7 q8t5+x2JzbXxY3bSF1eRreaC65luDGwHrwd8e6vsYQGfOL35Q9lz+6eJRQWFsLkV LoILyOEJlfJIN2hX7ZOphTsQ4xhgUanBtQBh7a3if4ywF6YMS8XgBwCxXcmrndGm OZLjSWhsx6spsyLl56iduRWtzQ== -----END CERTIFICATE----- 2) Test program that loads the certificate and invokes X509_check_akid() for the certificate with its own Authority Key Identifier (all error checks omitted for brevity): ------------ snip --------------- /* * Test program for X509_check_akid() * * The program loads a certificate that has the * "X509v3 Authority Key Identifier" and invokes X509_check_akid() * with this authority key identifier and the certificate itself. */ #include <stdio.h> #include <openssl/err.h> #include <openssl/bio.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/x509v3.h> #include <openssl/pem.h> int main() { BIO *pem; const char *file = "testcert.pem"; X509 *cert; int akid_check; pem = BIO_new(BIO_s_file()); BIO_read_filename(pem, file); cert = PEM_read_bio_X509_AUX(pem, NULL, NULL, NULL); X509_check_purpose(cert, -1, -1); akid_check = X509_check_akid(cert, cert->akid); printf("X509_check_akid result %d '%s'\n", akid_check, X509_verify_cert_error_string(akid_check)); return 0; } ------------------- snip --------------- Actual result: When compiled and executed with a current OpenSSL build from the OpenSSL_1_0_2-stable branch the program prints: X509_check_akid result 0 'ok' Expected result: X509_check_akid() should return an error code because the certificate actually cannot be identified as its own issuer via the X509v3 Authority Key Identifier extension. Background: The test case scenario actually occurs in an application that uses X509_verify_cert() where certain checks are disabled through a callback function applied with X509_STORE_set_verify_cb(). A certificate is incorrectly identified as the CRL issuer certificate through this behavior. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org