On Mon, Apr 6, 2015 at 2:42 PM, Yuting Chen wrote:
> As Jeffrey Walton's comment, the standard is
> very malleable, making cert path validation a
> little unpredictable.
>
Generally speaking, RFC 6125 is used to validate a PKIX certificate.
Unfortunately, the RFC does not mention AKIs and SKIs. As
As Jeffrey Walton's comment, the standard is
very malleable, making cert path validation a
little unpredictable.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Not sure about how to completely solve the problem. As the
function
X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
is called, crit is not actually used.
(e.g., in v3_purp.c, line 462)
x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
If the value o
I completely agree with Jeffrey's comments,
"Applications are not required to verify that
key identifiers match when performing
certification path validation." (RFC5280)
But when the certificate has two authority
key ids, openssl may take it as a certificate
having no authority key ids (I think the
Read a little code of openssl, and found that in
the function
X509_check_issued(X509 *issuer, X509 *subject),
The statement
x509v3_cache_extensions(subject);
is called for four times, but one certificate did not
get the subject keyid (as the block of if(subject->akid) is
called for three times). S
On Sun, Apr 5, 2015 at 5:26 PM, Yuting Chen wrote:
> I checked some other certificates, and found that some non self-signed
> certificates having duplicate extension instances can be verified by
> openssl. I guess openssl is quite gentle when validating these malformed
> certificates.
Well, I don
I checked some other certificates, and found that some non self-signed
certificates having duplicate extension instances can be verified by
openssl. I guess openssl is quite gentle when validating these malformed
certificates.
On Sun, Apr 5, 2015 at 1:55 PM, Yuting Chen wrote:
> Hi, when I verif
Hi, when I verify an X509 cert against a ca certificate, I found that the
cert can pass validation even if it has two instances of X509v3 Basic
Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some
issues are not important in verification. (I guess one reason is that one
subje
