This code is currently being used by Akamai to check for the validity of certificates.
I find it highly unusual for multiple certificates to have the same SubjectDN to be valid simultaneously. All those certificates would need to have a unique serial number; but the Issuer’s serial number is is not included in the certificate, so there’s no easy way to determine the issuing certificate. To validate those chains, the signature would have to be validated using the public key of each certificate that matches the Issuer. That can be an expensive proposition, and there are clients that will give up after the first failure. Have you seen any chains like this IRL? Do you know of any CA that have their chains set up like this? -- -Todd Short // tsh...@akamai.com<mailto:tsh...@akamai.com> // “One if by land, two if by sea, three if by the Internet." On Feb 27, 2015, at 5:31 PM, Brian Smith <br...@briansmith.org<mailto:br...@briansmith.org>> wrote: Short, Todd via RT <r...@openssl.org<mailto:r...@openssl.org>> wrote: Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer. Given that the subject certificate is self-signed, it means that the issuer and the subject are the same certificate. This change verifies that. Github link: https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b Could you explain this more? In your patch, there is a comment that says "Input certificate (subject) is self signed." But, the test is that the issuer name equals the subject name. That means the certificate is self-*issued*, not self-*signed*. Consider this chain: { Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 } { Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 } { Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor } All three certificates are self-issued. The issuer of the first certificate is not self-signed but it is self-issued. But, it being self-issued doesn't matter because it isn't a trust anchor. Consider this chain: { Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 } { Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 } { Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor } The first certificate is self-signed and self-issued. It's issuer is not self-signed or self-issued, so your patch would reject this chain. But, this is a valid chain. Cheers, Brian _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
