OpenSSL 111: authorityKeyIdentifier

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL 111: authorityKeyIdentifier

Dirk Menstermann
Hi,

I’m using OpenSSL 1.1.1 to issue a certificate and include the AKI by defining

authorityKeyIdentifier = keyid,issuer:always


The issued certificate contains the AKI afterwards with 3 values:

KeyID: issuer's key id

Serial: issuer's serial

Issuer: the issuer’s issuer, not the issuer’s subject!



My expectation (maybe wrong) is that the serial and the issuer name belong to
the same X509 certificate that the key id belongs to.


The code is pretty clear:


static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                                            X509V3_CTX *ctx,
                                            STACK_OF(CONF_VALUE) *values)

{
        cert = ctx->issuer_cert;
        // Code left out

  if ((issuer && !ikeyid) || (issuer == 2)) {
                isname = X509_NAME_dup(X509_get_issuer_name(cert));
                serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
                if (!isname || !serial) {
                    X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
                      X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
           goto err;

        }
          }
}

Is this a bug or is my expectation wrong? Is there documented that these 3
values do not need to belong together?


Thanks
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 111: authorityKeyIdentifier

Viktor Dukhovni
> On Mar 24, 2020, at 11:12 AM, Dirk Menstermann <[hidden email]> wrote:
>
> My expectation (maybe wrong) is that the serial and the issuer name belong to
> the same X509 certificate that the key id belongs to.

Your expectation is "wrong".  The issuer DN in the AKID is in fact
supposed to be the issuer's issuer.  It would be redundant to
encode the issuer DN there, it is already present in the EE
certificate.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 111: authorityKeyIdentifier

Dirk Menstermann
Thank you Victor. Can you point me to the rfc that defines this?

Best

Am 25.03.2020 um 15:32 schrieb Viktor Dukhovni <[hidden email]>:

>
> 
>>
>> On Mar 24, 2020, at 11:12 AM, Dirk Menstermann <[hidden email]> wrote:
>>
>> My expectation (maybe wrong) is that the serial and the issuer name belong to
>> the same X509 certificate that the key id belongs to.
>
> Your expectation is "wrong".  The issuer DN in the AKID is in fact
> supposed to be the issuer's issuer.  It would be redundant to
> encode the issuer DN there, it is already present in the EE
> certificate.
>
> --
>    Viktor.
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 111: authorityKeyIdentifier

Viktor Dukhovni
On Wed, Mar 25, 2020 at 05:47:01PM +0100, Dirk wrote:

> >> My expectation (maybe wrong) is that the serial and the issuer name belong to
> >> the same X509 certificate that the key id belongs to.
> >
> > Your expectation is "wrong".  The issuer DN in the AKID is in fact
> > supposed to be the issuer's issuer.  It would be redundant to
> > encode the issuer DN there, it is already present in the EE
> > certificate.
>
> Thank you Victor. Can you point me to the rfc that defines this?

You could just save time and take my word for it, based on the logical
argument that the issuer public key is identified by the serial number
and DN of the CA that signed its certificate (the combination required
to be unique) and that repeating the EE issuer DN would be redundant.
The text in RFC 5280 is not terribly clear, but is basically a brief
restatement of X.509.

If you really want to puzzle over more text see (page 24, physical page
34 of):

    http://handle.itu.int/11.1002/1000/9590-en?locatt=format:pdf

    8.2.2.1 Authority key identifier extension

    This field, which may be used as either a certificate extension or
    CRL extension, identifies the public key to be used to verify the
    signature on this certificate or CRL. It enables distinct keys used
    by the same CA to be distinguished (e.g., as key updating occurs).
    This field is defined as follows:

    authorityKeyIdentifier EXTENSION ::= {
        SYNTAX AuthorityKeyIdentifier IDENTIFIED BY id-ce-authorityKeyIdentifier
    }

    AuthorityKeyIdentifier ::= SEQUENCE {
        keyIdentifier             [0] KeyIdentifier OPTIONAL
        authorityCertIssuer       [1] GeneralNames  OPTIONAL
        authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
        ( WITH COMPONENTS {..., authorityCertIssuer PRESENT, authorityCertSerialNumber PRESENT} |
          WITH COMPONENTS {..., authorityCertIssuer ABSENT, authorityCertSerialNumber ABSENT} )

    KeyIdentifier ::= OCTET STRING

    The key may be identified by an explicit key identifier in the
    keyIdentifier component, by identification of a certificate for the
    key (giving certificate issuer in the authorityCertIssuer component
    and certificate serial number in the authorityCertSerialNumber
    component), or by both explicit key identifier and identification of
    a certificate for the key. If both forms of identification are used
    then the certificate or CRL issuer shall ensure they are consistent.
    A key identifier shall be unique with respect to all key identifiers
    for the issuing authority for the certificate or CRL containing the
    extension. An implementation which supports this extension is not
    required to be able to process all name forms in the
    authorityCertIssuer component. (See 8.3.2.1 for details of the
    GeneralNames type.)

    Certification authorities shall assign certificate serial numbers
    such that every (issuer, certificate serial number) pair uniquely
    identifies a single certificate. The keyIdentifier form can be used
    to select CA certificates during path construction. The
    authorityCertIssuer, authoritySerialNumber pair can only be used to
    provide preference to one certificate over others during path
    construction.

    This extension is always non-critical.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 111: authorityKeyIdentifier

Dirk Menstermann
Makes perfectly sense. Thank you.

> Am 25.03.2020 um 18:49 schrieb Viktor Dukhovni <[hidden email]>:
>
> On Wed, Mar 25, 2020 at 05:47:01PM +0100, Dirk wrote:
>
>>>> My expectation (maybe wrong) is that the serial and the issuer name belong to
>>>> the same X509 certificate that the key id belongs to.
>>>
>>> Your expectation is "wrong".  The issuer DN in the AKID is in fact
>>> supposed to be the issuer's issuer.  It would be redundant to
>>> encode the issuer DN there, it is already present in the EE
>>> certificate.
>>
>> Thank you Victor. Can you point me to the rfc that defines this?
>
> You could just save time and take my word for it, based on the logical
> argument that the issuer public key is identified by the serial number
> and DN of the CA that signed its certificate (the combination required
> to be unique) and that repeating the EE issuer DN would be redundant.
> The text in RFC 5280 is not terribly clear, but is basically a brief
> restatement of X.509.
>
> If you really want to puzzle over more text see (page 24, physical page
> 34 of):
>
>    http://handle.itu.int/11.1002/1000/9590-en?locatt=format:pdf
>
>    8.2.2.1 Authority key identifier extension
>
>    This field, which may be used as either a certificate extension or
>    CRL extension, identifies the public key to be used to verify the
>    signature on this certificate or CRL. It enables distinct keys used
>    by the same CA to be distinguished (e.g., as key updating occurs).
>    This field is defined as follows:
>
>    authorityKeyIdentifier EXTENSION ::= {
>        SYNTAX AuthorityKeyIdentifier IDENTIFIED BY id-ce-authorityKeyIdentifier
>    }
>
>    AuthorityKeyIdentifier ::= SEQUENCE {
>        keyIdentifier             [0] KeyIdentifier OPTIONAL
>        authorityCertIssuer       [1] GeneralNames  OPTIONAL
>        authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
>        ( WITH COMPONENTS {..., authorityCertIssuer PRESENT, authorityCertSerialNumber PRESENT} |
>          WITH COMPONENTS {..., authorityCertIssuer ABSENT, authorityCertSerialNumber ABSENT} )
>
>    KeyIdentifier ::= OCTET STRING
>
>    The key may be identified by an explicit key identifier in the
>    keyIdentifier component, by identification of a certificate for the
>    key (giving certificate issuer in the authorityCertIssuer component
>    and certificate serial number in the authorityCertSerialNumber
>    component), or by both explicit key identifier and identification of
>    a certificate for the key. If both forms of identification are used
>    then the certificate or CRL issuer shall ensure they are consistent.
>    A key identifier shall be unique with respect to all key identifiers
>    for the issuing authority for the certificate or CRL containing the
>    extension. An implementation which supports this extension is not
>    required to be able to process all name forms in the
>    authorityCertIssuer component. (See 8.3.2.1 for details of the
>    GeneralNames type.)
>
>    Certification authorities shall assign certificate serial numbers
>    such that every (issuer, certificate serial number) pair uniquely
>    identifies a single certificate. The keyIdentifier form can be used
>    to select CA certificates during path construction. The
>    authorityCertIssuer, authoritySerialNumber pair can only be used to
>    provide preference to one certificate over others during path
>    construction.
>
>    This extension is always non-critical.
>
> --
>    Viktor.