It seems that there is a little problem with openssl x509
when one tries to certify a self signed cert (without -req).
openssl x509 -CAserial CA.serial -CA CA.crt -CAkey CA.key -out OP.crt -in IP.crt
The callback in x509 assumes that it is called with an error
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
which is not the case, it is actually X509_V_OK.
In x509_vfy.c the callback for the self signed cert is not called with
the error value but only at the final validation.
I have the feeling that the callback in apps/x509.c should have one line added
(or something like that):
err=X509_STORE_CTX_get_error(ctx);
if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
return(1);
/* BAD we should have gotten an error. Normally if everything
* worked X509_STORE_CTX_get_error(ctx) will still be set to
* DEPTH_ZERO_SELF_.... */
if (ok)
{
if (err == X509_V_OK) return 1; /* ********************** */
BIO_printf(bio_err,"error with certificate to be certified - should be
self signed, err=%d\n",err);
return(0);
}
Peter Sylvester
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
