[strongSwan-dev] X509_AA flag does not meet spec; implementation is buggy too
mikeryan at isi.edu
Wed Jun 23 21:02:15 CEST 2010
The X509_AA flag parallels the X509_CA flag. Its basic meaning is: the
holder if this certificate has the authority to issue X.509 attribute
According to RFC3281, there is no provision to encode a simple boolean
flag with the meaning of X509_AA in an X.509 certificate.
AA controls, an optional sequence described in section 7.1, provide a
rich set of controls over which attributes may be issued by an AA. There
IS a boolean flag in there: permitUnSpecified. If this is true, then the
holder is allowed to issue any attribute.
This flag is semantically subtly different from a boolean meaning 'is an
The handling of the X509_AA flag is buggy as well. Setting the X509_AA
flag on a certificate sets a flag in the data structure, but when the
certificate is encoded into ASN.1 there is no difference between a cert
with and without this flag.
To exercise this bug, create a cert with the X509_AA flag, save its
encoding to a file, and then load it again. The X509_AA flag will not be
To create a cert with the AA flag, I modified pki/commands/self.c and
added X509_AA to the --ca flag like so:
flags |= X509_CA;
flags |= X509_AA;
Then generate a self-signed cert with the CA flag and print the cert:
$ pki --self --dn cn=test --ca --in private.der > test.der
$ pki --print --in test.der | grep AA
No mention of the AA flag is made. The cert is identical to a cert
without the AA flag specified.
More information about the Dev