Re: Certificate validation problem

2008-10-10 Thread Gerhard Gappmeier 
Thanks Dave,

today I rechecked the dump of the certificates which cause the problem.
The AUTHORITY_KEYID was really missing in them.
They were created using some MS .Net stuff.
My certificates which I create with openssl work fine.

I told the guy who created the wrong certificates about the missing field.
In our protocol this field is mandatory because our commonNames are not always 
unique.

On Friday 10 October 2008 02:03:44 Dave Thompson wrote:
  -Original Message-
  From: [EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier
  Sent: Wednesday, 08 October, 2008 08:14
 
  I've a problem with validating self-signed certificates.
 
  In my use case it's possible (but unlikely) to have multiple self-signed
  certificates with the same commonName.

 More to the point, they are root CA certs -- selfsigned, AND used to sign
 child certs. Your problem is with child linkage, not selfsigned as such.

  In the used protocol the URI field in subjectAltName fulfills the
  purpose of distinguishing the application instances.

 That appears to be irrelevant.

  When validating a certificate using X509_verify_cert it seems that
  OpenSSL finds the wrong certificate in the store
  due to the same commonName and then the validation fails.
 
  As far as I understood the code - but I'm not sure - the problem is,
  that X509_check_issued() that is called indirectly by
  find_issuer() doesn't check the certificate serial number when searching
  for the issuer certificate
  and only looks for the commonName.
  This happens because no AUTHORITY_KEYID (subject-akid) is available in
  the subject structure. (why?)
  See the screenshot for details.

 Your screenshot came out totally illegible, at least for me.

 AKID is an optional extension, with several optional subformats.
 Do you have a copy (e.g. in a file) of the cert you want to validate
 i.e. the subject=child cert? If so, check the extension is present,
 and has (child.)AKID.keyid = parent.subjkeyid
 and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) .

 How did you obtain, or create, the child cert? (Commercial CA,
 inhouse CA, openssl CA.pl, openssl commandline, etc.)

  The certificate of course has a serial number so I want this to be
  checked when looking up a certificate in the store.

 Which cert? When you want to look up the parent you need attributes
 of the parent, not the child.  If you want to look up the parent
 by issuer+serial (serial alone is not enough) (although in this case
 parent is selfsigned so its issuer and subject are the same),
 use child.AKID.(issuer+serial) as above.



 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

RE: Certificate validation problem

2008-10-09 Thread Dave Thompson 
 -Original Message-
 From: [EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier
 Sent: Wednesday, 08 October, 2008 08:14

 I've a problem with validating self-signed certificates.
 
 In my use case it's possible (but unlikely) to have multiple self-signed
 certificates with the same commonName.

More to the point, they are root CA certs -- selfsigned, AND used to sign 
child certs. Your problem is with child linkage, not selfsigned as such.

 In the used protocol the URI field in subjectAltName fulfills the
 purpose of distinguishing the application instances.
 
That appears to be irrelevant.

 When validating a certificate using X509_verify_cert it seems that
 OpenSSL finds the wrong certificate in the store
 due to the same commonName and then the validation fails.
 
 As far as I understood the code - but I'm not sure - the problem is,
 that X509_check_issued() that is called indirectly by
 find_issuer() doesn't check the certificate serial number when searching
 for the issuer certificate
 and only looks for the commonName.
 This happens because no AUTHORITY_KEYID (subject-akid) is available in
 the subject structure. (why?)
 See the screenshot for details.
 
Your screenshot came out totally illegible, at least for me.

AKID is an optional extension, with several optional subformats. 
Do you have a copy (e.g. in a file) of the cert you want to validate 
i.e. the subject=child cert? If so, check the extension is present,
and has (child.)AKID.keyid = parent.subjkeyid
and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) .

How did you obtain, or create, the child cert? (Commercial CA, 
inhouse CA, openssl CA.pl, openssl commandline, etc.)

 The certificate of course has a serial number so I want this to be
 checked when looking up a certificate in the store.

Which cert? When you want to look up the parent you need attributes 
of the parent, not the child.  If you want to look up the parent 
by issuer+serial (serial alone is not enough) (although in this case 
parent is selfsigned so its issuer and subject are the same), 
use child.AKID.(issuer+serial) as above.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]