>>If I want to “partially” verify a certificate via the command-line >>utility >> - e.g. when I don’t have the issuing certificate at hand, is there a way >> to tell openssl tool to go just as far as it can *without* climbing up >>the >> cert chain? I understand and agree that it significantly reduces the >>value >> of the verification - but in some [of my use] cases it is sufficient. If >> it is not supported now - would it be possible to add such capability as >> an option? > >What does "partially verify mean? Without the issuer's public key, you >can't check the signature, so all you can do is *parse* the certificate, >but you can't *verify* it.
Yes, you’re 100% correct.
By “partially verify” I mean “check for (in)consistencies”, malformed
attributes, extensions disagreeing with “-purpose”, etc.
Also, I may not have *all* of the chain available - in which case I’d like
this command-line tool to stop at the last *available* certificate of the
verification chain, telling me whether the check was OK or not *within the
available chain*.
>The "x509" utility parses certificates, what do you want to do that goes
>beyond parsing, but stops short of checking
>the issuer signature?
As I said above - match of the extensions to “-purpose”, for one thing…
“x509” just parses. But I guess you’re correct - if I don’t have the chain
to verify signatures, eyeballing the extensions printed with “-text
-noout" would in the end give the same result. Having a tool doing it for
me would be more convenient, but I see your point.
Also, in your next email you mention “openssl verify -partial_chain”.
Alas, I don’t see this option:
$ openssl version
OpenSSL 1.0.2e 3 Dec 2015
$ openssl verify --help
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose]
[-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2
...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
timestampsign Time Stamp signing
$ man verify
NAME
verify - Utility to verify certificates.
SYNOPSIS
openssl verify [-CApath directory] [-CAfile file] [-purpose
purpose] [-policy arg]
[-ignore_critical] [-attime timestamp] [-check_ss_sig] [-crlfile
file] [-crl_download]
[-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy]
[-inhibit_any] [-inhibit_map]
[-x509_strict] [-extended_crl] [-use_deltas] [-policy_print]
[-no_alt_chains] [-untrusted
file] [-help] [-issuer_checks] [-trusted file] [-verbose] [-]
[certificates]
DESCRIPTION
The verify command verifies certificate chains.
Thanks!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
