Short, Todd via RT <r...@openssl.org> wrote: > Check that in matching issuer/subject certs, that a self-signed subject also > has a self-signed issuer. > Given that the subject certificate is self-signed, it means that the issuer > and the subject are the same certificate. This change verifies that. > > Github link: > https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b
Could you explain this more? In your patch, there is a comment that says "Input certificate (subject) is self signed." But, the test is that the issuer name equals the subject name. That means the certificate is self-*issued*, not self-*signed*. Consider this chain: { Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 } { Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 } { Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor } All three certificates are self-issued. The issuer of the first certificate is not self-signed but it is self-issued. But, it being self-issued doesn't matter because it isn't a trust anchor. Consider this chain: { Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 } { Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 } { Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor } The first certificate is self-signed and self-issued. It's issuer is not self-signed or self-issued, so your patch would reject this chain. But, this is a valid chain. Cheers, Brian _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev