From: owner-openssl-us...@openssl.org On Behalf Of Erwann Abalea
Sent: Monday, 06 August, 2012 08:06
The given certificate is correctly self-signed, you can
manually check
it by extracting the signature block and playing with openssl rsautl
..., dd ... | openssl dgst -sha1, etc.
It fails the validation path check probably because it's not
declared as
a CA. There's some ongoing work on IETF about DANE certificates and
clarifications on RFC5280 about self-signed EE certificates. The
presented certificate is certainly such a DANE one.
Specifically, as I responded Friday to a post from Harald Latzko
RE: TLS server/client with self-signed certificate :
OpenSSL won't verify a self-signed cert *or* a real CA cert
if it has KeyUsage that excludes certSign, as this one does.
It's not clear to me whether a self-signed cert used only for
an entity, not to issue other certs, *should* have BC.CA:true,
but current OpenSSL definitely doesn't require it. (I've
tested BC.CA:false KU:includes.certSign and OpenSSL works.)
Le 06/08/2012 13:04, Johannes Bauer a écrit :
-BEGIN CERTIFICATE-
MIIC8TCCAdmgAwIBAgIQNmL4pIUXFpRBUK7QhJR/JjANBgkqhkiG9w0BAQUFADAg
MR4wHAYDVQQDExVXTVN2Yy1XSU4tRUVCSExDODFHSjgwHhcNMTAxMjIzMjAzOTU0
WhcNMjAxMjIwMjAzOTU0WjAgMR4wHAYDVQQDExVXTVN2Yy1XSU4tRUVCSExDODFH
SjgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD6CNzdS+lWquEQndmY
R1XY6cEqeMSB6YVSxXFAARRsdLQceCIpZbD5CijYklx874gOokTwSzZ7EJ6QSPUL
jItM5PRlkeh0twrVEU5UTeqybAnVEciL5oVy6EPm4niYweAJrf5QCtPcORtt2Kjs
xYAX2Ltl7mjvi+QM+XwDX0LKWyIjpYTZXB/5XRnpzUuBw3pDx+z4fWk8SFqN4Ptb
/7fZSoxI6VeuTvrgS4aMyjsPylPnpXVAFYOcxketS0D1F9m0z5t3eD3hXesgbCHS
svy0gACF3qvarJiE6MVDaJ/tlX408G9V3gEHpCCrk+yL5FiT/dtr7tNlWMt+o9D4
5/kNAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAA
ADANBgkqhkiG9w0BAQUFAAOCAQEAYvuUspk2lHiP3IM4maY2DOH0UfSsldyqOICP
ue3xmqNnkhN7QBe8GIcsKt3fiozC7L+zcxdIY6L7WgGx1+aK8f3AKl/FojPegMhC
WsgNy5WsR+jLUduclZDGf4qXxo9Vs1qXeP4qYZOa1rtqiBfFaQsxs4+XyFHdaB8N
HzviKd8NSeCn+ZfUTKYlErUAL+qtLaQQTqVvBVnwR9yT74izZ48f0mX8zHYMFJIk
mokioFqzl2ZVF98JBLSy6sNTZfO+eg98g3uDVRwq9JyvsWp1OJ94BvoXFZX7ETDM
Z53Hp5s3YUNRptlIvzre/foKg4MZB8BNUsEUdgaGOeoXho7jDA==
-END CERTIFICATE-
It's seemingly self-signed, but then again -- not. When I
call openssl:
$ openssl verify -CApath /dev/null -CAfile weird.crt weird.crt
weird.crt: /CN=WMSvc-WIN-EEBHLC81GJ8
error 20 at 0 depth lookup:unable to get local issuer certificate
Interestingly the lookup fails at depth 0 (!). If a parent
certificate
were missing, I'd expect a lookup fail at depth 1.
It's lookup of the issuer of the cert at 0 that failed. Because
the lookup failed (after being attempted by mistake), to OpenSSL
there is NO cert at depth 1 in this chain, only a hole.
When I create a self-signed certificate:
$ openssl req -new -x509 -nodes -out foobar.crt
And check it then: [OK]
By default req -new -x509 does no extensions. Use a config
file and x509_extensions or -extensions section that includes
KeyUsage as above and you can recreate the problem.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org