X509_verify_cert() wierdness

David Marwood Wed, 27 Oct 1999 14:28:51 -0700

X509_verify_cert doesn't behave as I would have expected...

By default, it will reject any depth-zero-self-signed certificate
(like the one attached).  I don't see why such a certificate should
always be rejected -- they're fine if they're signed by a certificate
in the X509_STORE.  Also, isn't the CA root certificate one of these?

I can use the verify callback to mask any such errors.  However, then
all depth-zero-self-signed certificates are successfully verified
without even consulting the X509_STORE.  Self-signed certificates
should be rejected if they are not signed by the CA (ie. they are not
the CA).

David Marwood


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: dsaWithSHA1
        Issuer: C=ca, ST=bc, L=van, O=fake, OU=fake, [EMAIL PROTECTED]
        Validity
            Not Before: Oct 27 20:46:50 1999 GMT
            Not After : Jul 23 20:46:50 2002 GMT
        Subject: C=ca, ST=bc, L=van, O=fake, OU=fake, [EMAIL PROTECTED]
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub: 
                    00:c0:71:7e:83:8a:fe:b2:2a:ad:98:b4:69:0c:f6:
                    01:5e:97:84:93:b4:d8:d1:42:50:65:77:93:df:67:
                    6c:a0:43:b2:b5:82:37:74:b6:c9:8f:78:ef:fd:bb:
                    38:80:8b:de:9c:1a:92:5e:c7:4a:ed:27:72:e9:3e:
                    a0:5e:6e:68:26:72:66:b7:75:77:8a:88:c1:50:61:
                    de:33:d0:53:df:4f:37:f7:75:6d:78:4b:65:64:93:
                    43:95:1c:9b:88:bc:e1:86:e9:6f:db:1c:2c:ed:f2:
                    f6:dd:d1:7d:4d:6c:9f:67:c0:ab:64:85:df:7d:68:
                    36:e3:13:e5:b8:fe:12:f7:02
                P:   
                    00:c1:4e:a6:82:bd:e8:df:7d:ca:79:da:a7:52:ed:
                    52:37:d7:70:e5:c9:9e:91:a5:a9:19:09:71:f5:9a:
                    18:50:3b:08:a9:24:3c:6f:9f:8a:fe:c9:4b:3a:41:
                    96:f6:35:61:68:59:6c:ab:35:41:98:9c:ec:48:2f:
                    04:cb:1b:43:7d:59:22:8e:d1:74:61:ee:fb:c5:71:
                    d9:7f:07:77:bf:d7:41:b0:ab:69:84:10:23:37:c2:
                    3d:9e:cf:64:69:8a:8c:0b:dd:ed:b1:88:69:07:c4:
                    6f:41:c7:cf:7c:f8:b0:ba:26:21:72:db:97:98:e6:
                    6c:65:c9:03:ff:7e:c5:5d:5f
                Q:   
                    00:a4:0b:a4:f0:48:cd:74:c2:5c:15:0c:14:68:45:
                    8e:9a:7b:57:ab:03
                G:   
                    00:bc:7f:3b:83:42:db:cb:c6:f1:4c:7b:f6:13:47:
                    24:ca:ec:27:46:ea:44:a6:cf:4a:b2:5a:ae:1d:39:
                    48:c9:6f:47:81:d0:18:62:16:17:cd:f2:59:ba:29:
                    1a:3c:37:ba:5e:51:c7:04:95:82:44:56:a7:4f:0b:
                    ca:4d:ce:d1:2a:81:e4:8b:a0:8b:87:69:75:f6:ab:
                    c3:3e:85:ae:67:f3:ca:ba:66:54:e2:b5:5a:31:73:
                    2c:71:ed:f3:1c:b7:ec:d2:ad:8d:c2:20:e0:e8:af:
                    52:25:ea:da:47:bb:f0:26:0e:b6:91:9f:d1:4f:62:
                    9f:b2:84:e5:86:af:4f:66:c7
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                BF:9C:29:94:27:EF:79:7A:43:F9:1D:F5:9A:03:ED:09:69:A0:34:B5
            X509v3 Authority Key Identifier: 
                keyid:BF:9C:29:94:27:EF:79:7A:43:F9:1D:F5:9A:03:ED:09:69:A0:34:B5
                DirName:[EMAIL PROTECTED]
                serial:00

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: dsaWithSHA1
        30:2d:02:15:00:82:bd:94:a9:f7:83:e4:28:26:8b:71:39:88:
        63:27:32:7d:06:e1:ec:02:14:4e:75:67:fe:60:bc:60:df:4c:
        79:db:98:16:5f:e0:66:ad:0d:f9:b0
-----BEGIN CERTIFICATE-----
MIID8TCCA66gAwIBAgIBADALBgcqhkjOOAQDBQAwczELMAkGA1UEBhMCY2ExCzAJ
BgNVBAgTAmJjMQwwCgYDVQQHEwN2YW4xDTALBgNVBAoTBGZha2UxDTALBgNVBAsT
BGZha2UxDTALBgNVBAMTBGZha2UxHDAaBgkqhkiG9w0BCQEWDWZha2VAZmFrZS5j
b20wHhcNOTkxMDI3MjA0NjUwWhcNMDIwNzIzMjA0NjUwWjBzMQswCQYDVQQGEwJj
YTELMAkGA1UECBMCYmMxDDAKBgNVBAcTA3ZhbjENMAsGA1UEChMEZmFrZTENMAsG
A1UECxMEZmFrZTENMAsGA1UEAxMEZmFrZTEcMBoGCSqGSIb3DQEJARYNZmFrZUBm
YWtlLmNvbTCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQDBTqaCvejffcp52qdS7VI3
13DlyZ6RpakZCXH1mhhQOwipJDxvn4r+yUs6QZb2NWFoWWyrNUGYnOxILwTLG0N9
WSKO0XRh7vvFcdl/B3e/10Gwq2mEECM3wj2ez2RpiowL3e2xiGkHxG9Bx898+LC6
JiFy25eY5mxlyQP/fsVdXwIVAKQLpPBIzXTCXBUMFGhFjpp7V6sDAoGBALx/O4NC
28vG8Ux79hNHJMrsJ0bqRKbPSrJarh05SMlvR4HQGGIWF83yWbopGjw3ul5RxwSV
gkRWp08Lyk3O0SqB5Iugi4dpdfarwz6FrmfzyrpmVOK1WjFzLHHt8xy37NKtjcIg
4OivUiXq2ke78CYOtpGf0U9in7KE5YavT2bHA4GFAAKBgQDAcX6Div6yKq2YtGkM
9gFel4STtNjRQlBld5PfZ2ygQ7K1gjd0tsmPeO/9uziAi96cGpJex0rtJ3LpPqBe
bmgmcma3dXeKiMFQYd4z0FPfTzf3dW14S2Vkk0OVHJuIvOGG6W/bHCzt8vbd0X1N
bJ9nwKtkhd99aDbjE+W4/hL3AqOB0DCBzTAdBgNVHQ4EFgQUv5wplCfveXpD+R31
mgPtCWmgNLUwgZ0GA1UdIwSBlTCBkoAUv5wplCfveXpD+R31mgPtCWmgNLWhd6R1
MHMxCzAJBgNVBAYTAmNhMQswCQYDVQQIEwJiYzEMMAoGA1UEBxMDdmFuMQ0wCwYD
VQQKEwRmYWtlMQ0wCwYDVQQLEwRmYWtlMQ0wCwYDVQQDEwRmYWtlMRwwGgYJKoZI
hvcNAQkBFg1mYWtlQGZha2UuY29tggEAMAwGA1UdEwQFMAMBAf8wCwYHKoZIzjgE
AwUAAzAAMC0CFQCCvZSp94PkKCaLcTmIYycyfQbh7AIUTnVn/mC8YN9MeduYFl/g
Zq0N+bA=
-----END CERTIFICATE-----


----------------------------------------------------------------------
David Marwood, M.Sc.                    [EMAIL PROTECTED]
Director, Internet Technologies         Phone: 604-921-5993
InfraNet Solutions                      Fax: 604-921-5909
West Vancouver, BC, Canada
----------------------------------------------------------------------

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
X509_verify_cert() wierdness

Reply via email to
