Hello,

I am doing some interop testing with a toolkit that performs PKIX
certificate verification and it is having a problem validating a chain I
built with OpenSSL. What appears to be happening is that when 'ca' copies
in the authority key information into the client certificate, it is pulling
in the CA subject from my root CA instead of my intermediate CA (marked
*wrong* below).

If you look at the following chain (leaf->intermediate->root CA), you will
notice the subject key/authority keys are correct. The authority serial
numbers are correct. But, the leaf certificate has the rootCA's subject DN.
It should be the intermediate CA's subject DN.

Certchain entry: 0
certsubject cn=mirage,ou=QA,o=myCompany,l=Denver,st=Colorado,c =US
serial# = 59
i = cn=seclab server CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

** ski = 40:AE1:37:02:036:BE:BB2:E3:31:CD:5A3:E4:43:FE:BF:BB
** aki = KeyIdentifier:
13:0EE:A8:99:B4:716:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
***wrong*, the issuer is seclab server ca, not root!!***
AuthorityCertSerialNumber: 1


Certchain entry: 1
certsubject cn=seclab server
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
serial# = 1
i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

** ski = 13:0EE:A8:99:B4:716:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E
** aki = KeyIdentifier:
2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:666:4C:E3:93:AB:7A
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
AuthorityCertSerialNumber: 99dd8a982ee608fe


Certchain entry: 2
certsubject cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
serial# = 11087170243882518782
i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

** ski = 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:666:4C:E3:93:AB:7A
** aki = KeyIdentifier:
2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:666:4C:E3:93:AB:7A
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
AuthorityCertSerialNumber: 99dd8a982ee608fe


I believe the problem is in the v3_akey.c module. You are copying the
subject name of the issuer's issuer, not the issuer itself. This has no
impact with a single layer hierarchy but breaks when you have an
intermediate CA.

if((issuer && !ikeyid) || (issuer == 2))
{
# this should be X509_get_subject_name
isname = X509_NAME_dup(X509_get_issuer_name(cert));
serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));


-- Tim
tbond@webmethods.com

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org