This is a multi-part message in MIME format...

------------=_1181588610-55090-1
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable


This is a bug report for OpenSSL version 0.9.8e. The top level summary i=
s that
misconfigured certificates with a bogus Issuer field are processed as if =
the field
was valid.

The Issuer should have an attribute of commonName (OID 2.5.4.3) and a val=
ue
of some kind of string (e.g. T61String). If instead it has a bogus attri=
bute, such
as the obsolete OID 2.5.4.2, the command openssl x509 -in badcert.pem -in=
form PEM -noout -text
should report that the certificate has no issuer. Instead it reports an =
issuer
containing the literal string "2.5.4.2" followed by the string value of t=
his OID.
This seems like a clear violation of RFC3280 to me. I've attached a bogu=
s
certificate badcert.pem that exhibits this behavior. The output of the c=
ommand

openssl asn1parse -in badcert.pem -inform PEM

contains the following:

38:d=3D5 hl=3D2 l=3D 3 prim: OBJECT :2.5.4.2
43:d=3D5 hl=3D2 l=3D 49 prim: T61STRING emo APNIC via RIPE=
Production CA, E=3Dca@apnic.net

The output of the command

openssl x509 -in badcert.pem -inform PEM -noout -text

contains the following:

Issuer: 2.5.4.2=3DDemo APNIC via RIPE Production CA, E=3Dca@apnic.=
net

The output of "make report" on the system in question is:

OpenSSL self-test report:

OpenSSL version: 0.9.8e

Last change: Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sur...

Options: -march=3Dpentium no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-=
shared no-zlib no-zlib-dynamic

OS (uname): Linux newpki.bbn.com 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2=
005 i686 i686 i386 GNU/Linux

OS (config): i686-whatever-linux2

Target (default): linux-elf

Target: linux-elf

Compiler: Configured with: ../configure --prefix=3D/usr --mandir=3D/usr=
/share/man --infodir=3D/usr/share/info --enable-shared --enable-threads=3D=
posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disab=
le-libunwind-exceptions --enable-java-awt=3Dgtk --host=3Di386-redhat-linu=
x

Thread model: posix

gcc version 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)



Mark Reynolds
BBN Technologies



------------=_1181588610-55090-1
Content-Type: text/html; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
RT-Attachment: 1536/16731/6784








 

This is a bug report for OpenSSL version
0.9.8e.  The top level summary is that

misconfigured certificates with a bogus Issuer
field are processed as if the field

was valid.

 

The Issuer should have an attribute of commonName
(OID 2.5.4.3) and a value

of some kind of string (e.g. T61String).  If
instead it has a bogus attribute, such

as the obsolete OID 2.5.4.2, the command openssl
x509 -in badcert.pem -inform PEM -noout -text

should report that the certificate has no
issuer.  Instead it reports an issuer

containing the literal string "2.5.4.2" followed by
the string value of this OID.

This seems like a clear violation of RFC3280 to
me.  I've attached a bogus

certificate badcert.pem that exhibits this
behavior.  The output of the command

 

 openssl asn1parse -in badcert.pem -inform
PEM

 

contains the following:

 

   38:d=5  hl=2 l=   3
prim: OBJECT           
:2.5.4.2
   43:d=5  hl=2 l=  49 prim:
T61STRING         emo APNIC via RIPE
Production CA, E=ca@apnic.net

 

The output of the command

 

  openssl x509 -in badcert.pem -inform PEM
-noout -text

 

contains the following:

 

       Issuer:
2.5.4.2=Demo APNIC via RIPE Production CA, href="mailto:E=ca@apnic.net">E=ca@apnic.net

The output of "make report" on the system in
question is:

 


  OpenSSL self-test report:


  OpenSSL version: 0.9.8e


  Last change: Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make
sur...


  Options: -march=pentium no-camellia no-gmp no-krb5 no-mdc2 no-rc5
no-shared no-zlib no-zlib-dynamic


  OS (uname): Linux newpki.bbn.com 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST
2005 i686 i686 i386 GNU/Linux


  OS (config): i686-whatever-linux2


  Target (default): linux-elf


  Target: linux-elf


  Compiler: Configured with: ../configure --prefix=/usr
--mandir=/usr/share/man --infodir=/usr/share/info --enable-shared
--enable-threads=posix --disable-checking --with-system-zlib
--enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk
--host=i386-redhat-linux


  Thread model: posix


  gcc version 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)


 

 

Mark Reynolds

BBN Technologies


 


------------=_1181588610-55090-1
Content-Type: application/octet-stream; name="badcert.pem"
Content-Disposition: inline; filename="badcert.pem"
Content-Transfer-Encoding: base64
RT-Attachment: 1536/16731/6785

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUV1VENDQT ZHZ0F3SUJB
Z0lDQU1Rd0RRWUpLb1pJaHZjTkFRRUxCUUF3UERFNk1EZ0dBMV VFQWhReFJH
VnRieUJCVUU1SlF5QjIKYVdFZ1VrbFFSU0JRY205a2RXTjBhVz l1SUVOQkxD
QkZQV05oUUdGd2JtbGpMbTVsZERBZUZ3MHdOakV4TURZd01UQX pNelJhRncw
dwpOekE0TURjd01UQXpNelJhTUI0eEhEQWFCZ05WQkFNVEUwMU pSRWt0VWtW
SFNVOU9RVXd0U1ZndFEwOHdnZ0VpTUEwR0NTcUdTSWIzCkRRRU JBUVVBQTRJ
QkR3QXdnZ0VLQW9JQkFRQ3pCRXFET3NZcjFyUXZwSGdXWDRkQX RPWXpidGIx
YmVFZjl5RjJ4cmJtR2xiRTZXZEIKWTlTclEzcXhWdXkzTzlGNT d6TEw1a2py
RTdpcmdadEpXMjZNb1NmZXpja0xWc3BPSkNiZTZiVlZhclBqK2 pGcEFSSm9Q
WW5BWTNNZApSSGRSVHd6ampZR1ZSK2JHcWFBYUpoT2s4bDEvVk NHWjdlRVUx
MTNLWnNQRUphdzlKbVcxOWFHeGFoVTFLL1YwazczMCtVQk81bj BQCmE3d0RU
bUtEUXBhczBuVGZway9ETzh3SFV2M2RXWnpYRnRsbjVlNUhxQl Jvb0Y3Zzgr
a2V5TlIvYjYxSWMzcWpNQ0duVE1kWmZLUzkKVW1UaTRrSEUvbk Y0Uy9MbmVF
bjBVYnFHOHIyKzBPOXZwRDZUNFRhaVBHdWVya0ZYRW1nRlhJWU pHTm1aNFlo
RkFnTUJBQUdqZ2dIaApNSUlCM1RBUEJnTlZIUk1CQWY4RUJUQU RBUUgvTUE0
R0ExVWREd0VCL3dRRUF3SUJCakFkQmdOVkhRNEVGZ1FVUEZMWG 1nQTJGZjlY
CjdoVVBwRDlOSVBvc0VvRXdId1lEVlIwakJCZ3dGb0FVczBSaz kyNUFtalgr
cHU4V1dOOUZPWHVIejhRd0dBWURWUjBnQVFIL0JBNHcKRERBS0 JnZ3JCZ0VG
QlFjT0FqQnBCZ05WSFI4RVlqQmdNRjZnWEtCYWhsaHljM2x1WX pvdkwyRndi
bWxqTFhacFlTMXlhWEJsTG0xcApjbWx1TG1Gd2JtbGpMbTVsZE M5dGIyTnJM
MEZRVGtsRGRtbGhVa2xRUlM5ek1GSnJPVEkxUVcxcVdDMXdkVG hYVjA0NVJr
OVlkVWg2Ck9GRXVZM0pzTUdJR0NDc0dBUVVGQndFQkJGWXdWRE JTQmdnckJn
RUZCUWN3QW9aR2NuTjVibU02THk5eWFYQmxMbTFwY21sdUxtRn cKYm1sakxt
NWxkQzl0YjJOckwxSkpVRVV2Y3pCU2F6a3lOVUZ0YWxndGNIVT RWMWRPT1Va
UFdIVkllamhSTG1ObGNqQnhCZ2dyQmdFRgpCUWNCQ3dSbE1HTX dZUVlJS3dZ
QkJRVUhNQVdHVlhKemVXNWpPaTh2WVhCdWFXTXRkbWxoTFhKcG NHVXViV2x5
YVc0dVlYQnVhV011CmJtVjBMMjF2WTJzdlFWQk9TVU4yYVdGU1 NWQkZMMUJH
VEZodFowRXlSbVk1V0Rkb1ZWQndSRGxPU1ZCdmMwVnZSUzh3SG dZSUt3WUIK
QlFVSEFRY0JBZjhFRHpBTk1Bc0VBZ0FCTUFVREF3Q05zakFOQm drcWhraUc5
dzBCQVFzRkFBT0NBUUVBU09tRjNoY0tBaXNSMkdNZgpBUkFNZj BSQktTd0pP
L053d0x2eUQrVjUrWEpwblNoQ1V6L3kwK2o3b0ZHMzNHMHNuVl VNVlFwUS9l
dmN2TCs0YjlzZllnNE1La0QwCnhYRFpLN3dGODZuRkxWQXhqR2 5YQzF4VFhZ
eklXVE5KM2tUY05YdHBZS1dud2tkRkN1bXpWNjVDZTV5YVhsd2 QvNUNYM2pw
cGpUQnIKa2wvZGRncW1lN0RjSHVFMkZJelZZZGN3bCt5UHhQNF U4TmxKYWND
eUhvaUYvaVhjQnpKT2VyME03eDVGTDQzZUwrREZMZmtITVR4VA o0L1ljRVh5
dGhHaHJRa0lSYnVBZjVHeDBPUktOQVJmRzV2NlMzZ2diTzlXZk xJUU1zMzYy
OVoxNHJPNFVqMmI4dDhkRWJyRWVueGpQCndoOFJYek45RUZJSH BCRlJrUGwy
Tmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

------------=_1181588610-55090-1--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org