I'm using a verify callback function set via
X509_STORE_set_verify_cb_func() to customize the behavior of
X509_verify_cert(). For example errors related to the fact that no
complete chain to a trusted root can be built are ignored, in order to
still allow validation of other properties of signing certificates.
When we have only a signing certificate without a chain and a CRL in the
X509_STORE_CTX structure passed to X509_verify_cert(), this leads to the
situation that the signing certificate is assumed to be the signer of
the CRL in the store. The reason is the behavior of function
X509_check_akid() in source file crypto/x509v3/v3_purp.c:
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
If I understand it correctly, the purpose of function X509_check_akid()
is to test whether the "issuer" certificate matches the authority key
identifier "akid". If this is the case, the value X509_V_OK is returned,
otherwise an error code is returned.
What appears strange to me is that function X509_check_akid() only
returns an error code if it actually finds a mismatch in one of the
present attributes. If akid is a NULL pointer or if none of the
comparisons is done because neither (akid->keyid && issuer->skid),
akid->serial or akid->issuer is true, the function returns X509_V_OK.
Shouldn't it only return X509_V_OK if at least one of the three tests
"Check key ids (if present)", "Check serial number" and "Check issuer
name" actually was performed?
Stephan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org