On Thu, May 08, 2014, Viktor Dukhovni wrote: > On Thu, May 08, 2014 at 09:48:43AM +0200, Stephan M?hlstrasser via RT wrote: > > > I posted this test case for function X509_check_akid() on the > > openssl-users mailing list, but got no reaction, therefore I'm > > submitting it now as a defect for triaging. > > > Test case: > > > > 1) Certificate that has an Authority Key Identifier extension (save as > > file "testcert.pem"): > > [ but no subject key id, so the authority key id should not match itself ] >
Well technically AKID should only be used as a hint (various PKIX list discissions have confirmed this). In that sense OpenSSL is already too strict: if AKID completely mismatches it will decide that the candidate certificate cannot be an issuer. What it should do is check multiple candidate certificates and give preference (all things being equal) to a certificate with an AKID match to one that does not match AKID. It should not however completely exclude a certificate if AKID does not match. That change for all cases is non-trivial however and would introduce binary compatibility issues if introduced in a stable branch. As such that patch might break *something*. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
