Hi all and Hello Dr. Henson,
please find attached files:
cacert.pem - trusted certificate
cakey.pem - trusted certificate's private key.
selfcert.pem - certificate signed by the given trusted certificate.
The following is the output when we try to use openssl verify utility:
$ openssl verify -CApath /usr/local/lib/openscep/ -CAfile
cacert.pem -verbose -issuer_checks tmp.pem
tmp.pem: /unstructuredName=3.com
error 29 at 0 depth lookup:subject issuer mismatch
/unstructuredName=3.com
error 29 at 0 depth lookup:subject issuer mismatch
/unstructuredName=3.com
error 29 at 0 depth lookup:subject issuer mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 31 at 0 depth lookup:authority and issuer serial number mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 31 at 0 depth lookup:authority and issuer serial number mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 31 at 0 depth lookup:authority and issuer serial number mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 31 at 0 depth lookup:authority and issuer serial number mismatch
/C=CH/ST=Ticino/L=Bosco/Gurin/O=othello
error 2 at 1 depth lookup:unable to get issuer certificate
We could not make any progress with the OpenSSL verify utility as well. I
request u to help us in this regard...
Awaiting your valuable Response
Regards
Suram
> I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED
> certificate with the authority-key-identifier extension, and when we are
> trying to verify a SELF certificate using the function X509_verify_cert(),
> the verification is failing.
Upon a deeper look into the function, the function is failing as follows...
When we call the X509_verify_cert() with the CTX,
Before calling this function we are initializing the CTX->cert with the
self-certificate, and we are adding the trusted-certificates in X509_STORE
using the function X509_STORE_add_cert().
In the X509_verify_cert()
1. checks whether CTX->cert (self-certificate) is self-signed certificate or
not by PUSHing the certificates into a chain.
2. It is looking for Trusted certificates whose subject name is same as the
Issuer Name of CTX->cert(ie., self-certificate) and pushing the certificates
into the chain in the CTX. Now we are checking the Trusted certificates are
Self-signed or not by calling the function X509_check_issued( ).
3. We are passing the subject and issuer certificates the same Trusted
Certificate. In this function we are checking the Serial Number of the
Issuer certificate with the Serial number in the extension Authorithy Key
Identifier of the Subject Certificate.
Here we are facing problem. The problem is ASN1_INTEGER_cmp( ) is failing.
The QUESTION is whether the Serial Number in the Trusted Certificate should
be SAME as the Serial Number in the Authority Key Identifier extension?
If the two need not be the same then we feel that there is a bug in the
X509_check_issued ( ) function as we are using it to verify whether the
certificate is self-signed or not.
I would be thankful for any help regarding this question..
Regards
Suram
I've already responded to this in openssl-dev:
Does this fail with the OpenSSL verify utility? If so what is the
failure reason? Also try it with the -issuer_checks command line option.
If that doesn't help much then if you could send me the certificate(s)
causing the trouble I'll investigate further.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
-------------------------------------------------------
--
Rama Krishna Prasad Chunduru
Software engineer
Intoto Software(I) Pvt Ltd
Kharkhana
Secundrabad
selfcert.pem
cacert.pem
cakey.pem
