[gnutls-dev] [PATCH] Authority key ID bug in certtool

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnutls-dev] [PATCH] Authority key ID bug in certtool

From:	Dale Sedivec
Subject:	[gnutls-dev] [PATCH] Authority key ID bug in certtool
Date:	Sun, 17 Dec 2006 12:15:43 -0500
User-agent:	Mutt/1.4.2.1i

Greetings,

        When certtool is signing a certificate, it calculates the CA
key's ID and uses that to fill in the X.509 v3 authority key ID
extension.  This results in certtool generating invalid certificates
when the CA certificate has a different subject key ID than the one
that certtool calculated for the CA key (i.e., this happens when
something other than certtool was used to make the CA certificate,
such as OpenSSL).

        To reproduce with OpenSSL:

openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt
# Answer the resulting questions any way you would like.
certtool --generate-privkey > user.key
certtool --generate-certificate --load-privkey user.key \
         --load-ca-certificate ca.crt --load-ca-privkey ca.key > user.crt
# Answer more questions.
openssl verify -issuer_checks -CAfile ca.crt user.crt

        "openssl verify" should bomb with some errors, the significant
ones being:

error 30 at 0 depth lookup:authority and subject key identifier mismatch
error 20 at 0 depth lookup:unable to get local issuer certificate

        When "openssl verify" succeeds, the last line should say
simply "OK".  certtool seems not to check/care about the
subject/authority key ID mismatch:

$ cat user.crt ca.crt | certtool --verify-chain
Certificate[0]:
        Issued by: C=GB,ST=Berkshire,L=Newbury,O=My Company Ltd
        Verifying against certificate[1].
        Verification output: Verified.

Certificate[1]: C=GB,ST=Berkshire,L=Newbury,O=My Company Ltd
        Issued by: C=GB,ST=Berkshire,L=Newbury,O=My Company Ltd
        Verification output: Verified.
$

        I've included a patch I made against GNU TLS 1.2.11 to use the
CA's subject key ID when filling in a new certificate's authority key
ID.  When applied here certtool generates certificates that pass
"openssl verify."

Dale


--- src/certtool.c.orig 2006-12-16 18:22:04.000000000 -0500
+++ src/certtool.c      2006-12-16 18:58:19.000000000 -0500
@@ -524,7 +524,12 @@
      */
     if (ca_crt != NULL) {
        size = sizeof(buffer);
-       result = gnutls_x509_crt_get_key_id(ca_crt, 0, buffer, &size);
+       result = gnutls_x509_crt_get_subject_key_id(ca_crt, buffer, &size, 
NULL);
+       if (result < 0) {
+               fprintf(stderr,
+                       "generate_certificate: can't read CA subject key ID\n");
+               exit(1);
+       }
        if (result >= 0) {
            result =
                gnutls_x509_crt_set_authority_key_id(crt, buffer, size);

[Prev in Thread]

Current Thread

[Next in Thread]

[gnutls-dev] [PATCH] Authority key ID bug in certtool, Dale Sedivec <=
- Re: [gnutls-dev] [PATCH] Authority key ID bug in certtool, Dale Sedivec, 2006/12/17

Prev by Date: [gnutls-dev] [PATCH] Detect GAA and fix out-of-source-tree builds
Next by Date: Re: [gnutls-dev] [PATCH] Authority key ID bug in certtool
Previous by thread: [gnutls-dev] [PATCH] Detect GAA and fix out-of-source-tree builds
Next by thread: Re: [gnutls-dev] [PATCH] Authority key ID bug in certtool
Index(es):
- Date
- Thread