[openssl.org #2700] BUG: v1.0.0 / openssl verify no longer works with -CApath

Kevin Vargo via RT Tue, 31 Jan 2012 09:48:17 -0800

Hi,
  This is a bug report against v1.0.0: openssl verify no longer works with 
-CApath.  `cat'ing the contents of -CApath into a file and using -CAfile does 
still work:


With a properly configured CApath:

$ ls ./trust_root/
DoD_Root_CA_2.pem
DOD_Bundle.pem
DOD-Email-CA-24.pem.cer
ffb07f59.0 -> DOD-Email-CA-24.pem.cer
f445e798.0 -> DoD_Root_CA_2.pem


where DOD_Bundle.pem results from:
$ cat DoD_Root_CA_2.pem DOD-Email-CA-24.pem.cer > DOD_Bundle.pem


This validates, using all-in-one -CAfile:

$ openssl verify -verbose -issuer_checks  -CApath ./trust_root/ -purpose 
smimesign UserCertificate-smime.pem.cer
UserCertificate-smime.pem.cer: C = US, O = U.S. Government, OU = DoD, OU = PKI, 
[REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 20 at 0 depth lookup:unable to get local issuer certificate


HOWEVER, this does not, using -CApath to the dir itself:


$ openssl verify -verbose -issuer_checks  -CAfile ./trust_root/DOD_Bundle.pem 
-purpose smimesign UserCertificate-smime.pem.cer
UserCertificate-smime.pem.cer: C = US, O = U.S. Government, OU = DoD, OU = PKI, 
[REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DOD EMAIL CA-24
error 29 at 0 depth lookup:subject issuer mismatch
OK

I checked 0.9.8t, 1.0.0g and 1.0.1-beta2; 0.9.8t works as it used to with 
-CApath;
the 1.0x fail as though -CApath is not valid. (Downloaded/build from source.)
Work:

===>  OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008     <===
OK
===>  OpenSSL 0.9.8j 07 Jan 2009        <===
OK
===>  OpenSSL 0.9.8t 18 Jan 2012        <===
OK


don't work:

===>  OpenSSL 1.0.0g 18 Jan 2012        <===
===>  OpenSSL 1.0.1-beta2 19 Jan 2012   <===
===>  OpenSSL 1.0.0-fips 29 Mar 2010   <===

I've not been able to narrow down where the failure is yet.

Hi,

This is a bug report against v1.0.0: openssl verify no longer works with -CApath. `cat'ing the contents of -CApath into a file and using -CAfile does still work:

With a properly configured CApath:

$ ls ./trust_root/
DoD_Root_CA_2.pem
DOD_Bundle.pem
DOD-Email-CA-24.pem.cer
ffb07f59.0 -> DOD-Email-CA-24.pem.cer
f445e798.0 -> DoD_Root_CA_2.pem

where DOD_Bundle.pem results from:
$ cat DoD_Root_CA_2.pem DOD-Email-CA-24.pem.cer > DOD_Bundle.pem

This validates, using all-in-one -CAfile:

$ openssl verify -verbose -issuer_checks -CApath ./trust_root/ -purpose smimesign UserCertificate-smime.pem.cer
UserCertificate-smime.pem.cer: C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 20 at 0 depth lookup:unable to get local issuer certificate

HOWEVER, this does not, using -CApath to the dir itself:

$ openssl verify -verbose -issuer_checks -CAfile ./trust_root/DOD_Bundle.pem -purpose smimesign UserCertificate-smime.pem.cer
UserCertificate-smime.pem.cer: C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, [REDACTED]
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DOD EMAIL CA-24
error 29 at 0 depth lookup:subject issuer mismatch
OK

I checked 0.9.8t, 1.0.0g and 1.0.1-beta2; 0.9.8t works as it used to with -CApath;
the 1.0x fail as though -CApath is not valid. (Downloaded/build from source.)

Work:

===> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008     <===
OK
===> OpenSSL 0.9.8j 07 Jan 2009        <===
OK
===> OpenSSL 0.9.8t 18 Jan 2012        <===
OK

don't work:

===> OpenSSL 1.0.0g 18 Jan 2012        <===
===> OpenSSL 1.0.1-beta2 19 Jan 2012   <===
===> OpenSSL 1.0.0-fips 29 Mar 2010   <===

I've not been able to narrow down where the failure is yet.

[openssl.org #2700] BUG: v1.0.0 / openssl verify no longer works with -CApath

Reply via email to