Not sure why this bug was closed. Is more information needed? This is a
real bug in the akey module.

-- Tim



-----Original Message-----
From: rt-i12@MailServ.TU-Cottbus.De [mailto:rt-i12@MailServ.TU-Cottbus.De]
On Behalf Of OpenSSL-Bugs
Sent: Friday, February 10, 2006 5:39 PM
To: tim.bond@webmethods.com
Subject: [openssl.org #1282] AutoReply: error setting AuthorityKeyIdentifier



Greetings,
This message has been automatically generated in response to the
creation of a trouble ticket regarding:
"error setting AuthorityKeyIdentifier",
a summary of which appears below.

There is no need to reply to this message right now. Your ticket has been
assigned an ID of [openssl.org #1282].

Please include the string:

[openssl.org #1282]

in the subject line of all future correspondence about this issue. To do so,

you may reply to this message.

Also, please note that all attachments to your message have been stored in
the database, but are not included in any outgoing mail.

Thank you,


-------------------------------------------------------------------------
Hello,

I am doing some interop testing with a toolkit that performs PKIX
certificate verification and it is having a problem validating a chain I
built with OpenSSL. What appears to be happening is that when 'ca' copies
in the authority key information into the client certificate, it is pulling
in the CA subject from my root CA instead of my intermediate CA (marked
*wrong* below).

If you look at the following chain (leaf->intermediate->root CA), you will
notice the subject key/authority keys are correct. The authority serial
numbers are correct. But, the leaf certificate has the rootCA's subject DN.
It should be the intermediate CA's subject DN.

Certchain entry: 0
certsubject cn=mirage,ou=QA,o=myCompany,l=Denver,st=Colorado,c =US
serial# = 59
i = cn=seclab server CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

** ski = 40:AE1:37:02:036:BE:BB2:E3:31:CD:5A3:E4:43:FE:BF:BB
** aki = KeyIdentifier:
13:0EE:A8:99:B4:716:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
***wrong*, the issuer is seclab server ca, not root!!***
AuthorityCertSerialNumber: 1


Certchain entry: 1
certsubject cn=seclab server
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
serial# = 1
i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

** ski = 13:0EE:A8:99:B4:716:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E
** aki = KeyIdentifier:
2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:666:4C:E3:93:AB:7A
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
AuthorityCertSerialNumber: 99dd8a982ee608fe


Certchain entry: 2
certsubject cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
serial# = 11087170243882518782
i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

** ski = 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:666:4C:E3:93:AB:7A
** aki = KeyIdentifier:
2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:666:4C:E3:93:AB:7A
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
AuthorityCertSerialNumber: 99dd8a982ee608fe


I believe the problem is in the v3_akey.c module. You are copying the
subject name of the issuer's issuer, not the issuer itself. This has no
impact with a single layer hierarchy but breaks when you have an
intermediate CA.

if((issuer && !ikeyid) || (issuer == 2))
{
# this should be X509_get_subject_name
isname = X509_NAME_dup(X509_get_issuer_name(cert));
serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));


-- Tim
tbond@webmethods.com

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org