At 12:43 04.01.00 +0200, you wrote:
>Hello all!
Hello,
>For each certificate in chain I do next:
>
>i = X509_verify(x, X509_get_pubkey(x));
>For many sites (www.chase.com, www.ubs.com, ...) I have that first
certificate
>in chain has unmatched signature (i == 0). Only last certificate (from RSA
....)
>has good signature. Is it possible or I do something wrong?
i = X509_verify(x,X509_get_pubkey(issuercert));
The last certificate is a self signed certificate.
A X509_verify(x,X509_get_pubkey(cacert)) on a self signed cert
(meaning X509_verify(x,X509_get_pubkey(x)))
will only test against transmission errors.
But to test against modifications by a untrusted third party
(malice) you must verify the certificate against other, external data.
You should have a store of verified (root) certificates and reject
all certificates you can't verify with one of the certificates from
this store.
By
Goetz
--
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]