Paul wrote:
>> That's no solution, since once those different certificates with the
>> same name (subjectOneline) are included in the trusted CAs, verify
>> will fail on one of those 'dups', depending on which one was found
>> first.
>
> You could have a solution here:
> If you build a list of all certificates to import and sort then by
> filedate (most current date on top) then the latest CA will always be
> found first
That doesn't work. If you verified a cert that was isued by the
older CA cert the new one was found first and verify would fail
as well.
The problem is that they first lookup the isuer _name_ in the CA store
and if a matching cert was found, compare it with the one being
verified, which may be a different certificate that just owns the same
subject name. It becomes clear when you take a look at their source
code.
>From X509_vfy.c:
[..]
/* we have a self signed certificate */
if (sk_X509_num(ctx->chain) == 1)
{
/* We have a single self signed certificate: see if
* we can find it in the store. We must have an exact
* match to avoid possible impersonation.
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
if ((ok <= 0) || X509_cmp(x, xtmp))
{
ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
[..]
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
