On Tue, Dec 15, 2015 at 08:04:45PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> It appears that openssl verify refuses to deal with self-signed > certificates? You mean the command-line utility? $ openssl x509 -in rootcert.pem -subject -issuer subject= CN = Root CA issuer= CN = Root CA -----BEGIN CERTIFICATE----- MIIBZDCCAQugAwIBAgIBATAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdSb290IENB MCAXDTE1MTIxMzIzMTMwOFoYDzMwMTUwNDE1MjMxMzA4WjASMRAwDgYDVQQDDAdS b290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0dpXj9GPuGRWsNkbVla9 1o1N29JQ4zdXESfHXgVg9B0K+Rv6+IBfgMKMAmoU1P6MMKlnO57AwFqEqoENE0G3 bKNQME4wHQYDVR0OBBYEFOS9QF8FKoIN35iD+T19P5Cq7HI/MB8GA1UdIwQYMBaA FOS9QF8FKoIN35iD+T19P5Cq7HI/MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwID RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF -----END CERTIFICATE----- $ openssl verify -CAfile rootcert.pem rootcert.pem rootcert.pem: OK > Here’s what I get: > > $ openssl verify -verbose -purpose sslclient -purpose smimesign test2.pem > > test2.pem: CN = test2, C = US > > error 20 at 0 depth lookup:unable to get local issuer certificate No CAfile, no trust. And your particular certificate has: X509v3 Basic Constraints: critical CA:FALSE which does prevent it from verifying itself. The "CA:FALSE" constraint is only really useful in certificates issued from a different key. No security benefit in setin it in self-signed certificates. $ openssl x509 -text -noout <<EOF -----BEGIN CERTIFICATE----- MIIDEjCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMQ4wDAYDVQQDDAV0ZXN0 MjELMAkGA1UEBhMCVVMwHhcNMTUxMjE1MTk1NjU4WhcNMTYxMjE0MTk1NjU4WjAd MQ4wDAYDVQQDDAV0ZXN0MjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQCxmo/YeUHwiyar+DyzoK/mqTEc3nhaGAjUMZ2fSm5TnEzi zxMJE3ESYje0CIgzqwlVNSWF4OuESookYGacF9/R+eJn58FrnzODglasmDMLxUK8 kWGFTkIlSpL72ctVbZR9axJGGCTRDutCFzFMzadsnDXEMmoGAPLCSKrQ8DFdUymX SUtzpKaNNlgoG2Wt95kQF7AsWy5EHBcuUJyAF/90HNA8bFhh9jvfXh1b35N9n6S8 2IkN26ROfazabcX/JRljxm4jgfKDzrwt/np3mEkrD9fesYiQtwgJfGyjjpZgEo49 ecZwREahe0omA8cg89NMuHY40RN6PNc7tIjQg9exAgMBAAGjXTBbMA8GA1UdEwEB /wQFMAMBAQAwDgYDVR0PAQH/BAQDAgbAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr BgEFBQcDAjAZBgNVHREEEjAQgQ50aWhzQGhvdXNlLmNvbTANBgkqhkiG9w0BAQsF AAOCAQEABsCTzwM+HjvDQXCfPucSqcqvdxfJsUZNMRN9RZFka8GuMpBbxhIGdTLo w8SOKRIIqzRdznCAKf4SPZ4y5nMyOQkHLGKIRcjMnZfnJkxjyj86eUxIBAVQP7lK RcZkj+UdRE2eakED11jRoyFEAaXbYvqa/ZwCImOLIKSh2DW2hflvpX0sdfIX89KO QVc9Ve9vAQanJtHjjs2xbn86V1J2Ffc4bcsMrk7dofrmoYwJVrNA4wzbrWDKHfjW 2NX2V2JBK8xnEDSTywtTuVf7oEZGGKY+1yMrgsqS22aC7sOUtUwqO/Gd0UsJiaMv LhjJg2S3a2LFQk129WJrM1CM5XOCvw== -----END CERTIFICATE----- SAMECERT ) 3<<SAMECERT -----BEGIN CERTIFICATE----- MIIDEjCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMQ4wDAYDVQQDDAV0ZXN0 MjELMAkGA1UEBhMCVVMwHhcNMTUxMjE1MTk1NjU4WhcNMTYxMjE0MTk1NjU4WjAd MQ4wDAYDVQQDDAV0ZXN0MjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQCxmo/YeUHwiyar+DyzoK/mqTEc3nhaGAjUMZ2fSm5TnEzi zxMJE3ESYje0CIgzqwlVNSWF4OuESookYGacF9/R+eJn58FrnzODglasmDMLxUK8 kWGFTkIlSpL72ctVbZR9axJGGCTRDutCFzFMzadsnDXEMmoGAPLCSKrQ8DFdUymX SUtzpKaNNlgoG2Wt95kQF7AsWy5EHBcuUJyAF/90HNA8bFhh9jvfXh1b35N9n6S8 2IkN26ROfazabcX/JRljxm4jgfKDzrwt/np3mEkrD9fesYiQtwgJfGyjjpZgEo49 ecZwREahe0omA8cg89NMuHY40RN6PNc7tIjQg9exAgMBAAGjXTBbMA8GA1UdEwEB /wQFMAMBAQAwDgYDVR0PAQH/BAQDAgbAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr BgEFBQcDAjAZBgNVHREEEjAQgQ50aWhzQGhvdXNlLmNvbTANBgkqhkiG9w0BAQsF AAOCAQEABsCTzwM+HjvDQXCfPucSqcqvdxfJsUZNMRN9RZFka8GuMpBbxhIGdTLo w8SOKRIIqzRdznCAKf4SPZ4y5nMyOQkHLGKIRcjMnZfnJkxjyj86eUxIBAVQP7lK RcZkj+UdRE2eakED11jRoyFEAaXbYvqa/ZwCImOLIKSh2DW2hflvpX0sdfIX89KO QVc9Ve9vAQanJtHjjs2xbn86V1J2Ffc4bcsMrk7dofrmoYwJVrNA4wzbrWDKHfjW 2NX2V2JBK8xnEDSTywtTuVf7oEZGGKY+1yMrgsqS22aC7sOUtUwqO/Gd0UsJiaMv LhjJg2S3a2LFQk129WJrM1CM5XOCvw== -----END CERTIFICATE----- EOF Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=test2, C=US Validity Not Before: Dec 15 19:56:58 2015 GMT Not After : Dec 14 19:56:58 2016 GMT Subject: CN=test2, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b1:9a:8f:d8:79:41:f0:8b:26:ab:f8:3c:b3:a0: af:e6:a9:31:1c:de:78:5a:18:08:d4:31:9d:9f:4a: 6e:53:9c:4c:e2:cf:13:09:13:71:12:62:37:b4:08: 88:33:ab:09:55:35:25:85:e0:eb:84:4a:8a:24:60: 66:9c:17:df:d1:f9:e2:67:e7:c1:6b:9f:33:83:82: 56:ac:98:33:0b:c5:42:bc:91:61:85:4e:42:25:4a: 92:fb:d9:cb:55:6d:94:7d:6b:12:46:18:24:d1:0e: eb:42:17:31:4c:cd:a7:6c:9c:35:c4:32:6a:06:00: f2:c2:48:aa:d0:f0:31:5d:53:29:97:49:4b:73:a4: a6:8d:36:58:28:1b:65:ad:f7:99:10:17:b0:2c:5b: 2e:44:1c:17:2e:50:9c:80:17:ff:74:1c:d0:3c:6c: 58:61:f6:3b:df:5e:1d:5b:df:93:7d:9f:a4:bc:d8: 89:0d:db:a4:4e:7d:ac:da:6d:c5:ff:25:19:63:c6: 6e:23:81:f2:83:ce:bc:2d:fe:7a:77:98:49:2b:0f: d7:de:b1:88:90:b7:08:09:7c:6c:a3:8e:96:60:12: 8e:3d:79:c6:70:44:46:a1:7b:4a:26:03:c7:20:f3: d3:4c:b8:76:38:d1:13:7a:3c:d7:3b:b4:88:d0:83: d7:b1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Non Repudiation X509v3 Extended Key Usage: E-mail Protection, TLS Web Client Authentication X509v3 Subject Alternative Name: email:t...@house.com Signature Algorithm: sha256WithRSAEncryption 06:c0:93:cf:03:3e:1e:3b:c3:41:70:9f:3e:e7:12:a9:ca:af: 77:17:c9:b1:46:4d:31:13:7d:45:91:64:6b:c1:ae:32:90:5b: c6:12:06:75:32:e8:c3:c4:8e:29:12:08:ab:34:5d:ce:70:80: 29:fe:12:3d:9e:32:e6:73:32:39:09:07:2c:62:88:45:c8:cc: 9d:97:e7:26:4c:63:ca:3f:3a:79:4c:48:04:05:50:3f:b9:4a: 45:c6:64:8f:e5:1d:44:4d:9e:6a:41:03:d7:58:d1:a3:21:44: 01:a5:db:62:fa:9a:fd:9c:02:22:63:8b:20:a4:a1:d8:35:b6: 85:f9:6f:a5:7d:2c:75:f2:17:f3:d2:8e:41:57:3d:55:ef:6f: 01:06:a7:26:d1:e3:8e:cd:b1:6e:7f:3a:57:52:76:15:f7:38: 6d:cb:0c:ae:4e:dd:a1:fa:e6:a1:8c:09:56:b3:40:e3:0c:db: ad:60:ca:1d:f8:d6:d8:d5:f6:57:62:41:2b:cc:67:10:34:93: cb:0b:53:b9:57:fb:a0:46:46:18:a6:3e:d7:23:2b:82:ca:92: db:66:82:ee:c3:94:b5:4c:2a:3b:f1:9d:d1:4b:09:89:a3:2f: 2e:18:c9:83:64:b7:6b:62:c5:42:4d:76:f5:62:6b:33:50:8c: e5:73:82:bf -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev