Bonjour,
The given certificate is correctly self-signed, you can manually check
it by extracting the signature block and playing with "openssl rsautl
...", "dd ... | openssl dgst -sha1", etc.
It fails the validation path check probably because it's not declared as
a CA. There's some ongoing work on IETF about DANE certificates and
clarifications on RFC5280 about self-signed EE certificates. The
presented certificate is certainly such a DANE one.
--
Erwann ABALEA
-----
pastacircopyge: quelqu'un qui a vraiment beaucoup de chance
Le 06/08/2012 13:04, Johannes Bauer a écrit :
Hi list,
I'm quite puzzled and hope somebody can help me. I'm handling a large
number of certificates and for generating testcases for the software I
employ, I wrote a small script that downloaded web server certificates
en bulk and then processed them, to check for irregularities.
My software barfed on a certain certificate, which is this one:
-----BEGIN CERTIFICATE-----
MIIC8TCCAdmgAwIBAgIQNmL4pIUXFpRBUK7QhJR/JjANBgkqhkiG9w0BAQUFADAg
MR4wHAYDVQQDExVXTVN2Yy1XSU4tRUVCSExDODFHSjgwHhcNMTAxMjIzMjAzOTU0
WhcNMjAxMjIwMjAzOTU0WjAgMR4wHAYDVQQDExVXTVN2Yy1XSU4tRUVCSExDODFH
SjgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD6CNzdS+lWquEQndmY
R1XY6cEqeMSB6YVSxXFAARRsdLQceCIpZbD5CijYklx874gOokTwSzZ7EJ6QSPUL
jItM5PRlkeh0twrVEU5UTeqybAnVEciL5oVy6EPm4niYweAJrf5QCtPcORtt2Kjs
xYAX2Ltl7mjvi+QM+XwDX0LKWyIjpYTZXB/5XRnpzUuBw3pDx+z4fWk8SFqN4Ptb
/7fZSoxI6VeuTvrgS4aMyjsPylPnpXVAFYOcxketS0D1F9m0z5t3eD3hXesgbCHS
svy0gACF3qvarJiE6MVDaJ/tlX408G9V3gEHpCCrk+yL5FiT/dtr7tNlWMt+o9D4
5/kNAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAA
ADANBgkqhkiG9w0BAQUFAAOCAQEAYvuUspk2lHiP3IM4maY2DOH0UfSsldyqOICP
ue3xmqNnkhN7QBe8GIcsKt3fiozC7L+zcxdIY6L7WgGx1+aK8f3AKl/FojPegMhC
WsgNy5WsR+jLUduclZDGf4qXxo9Vs1qXeP4qYZOa1rtqiBfFaQsxs4+XyFHdaB8N
HzviKd8NSeCn+ZfUTKYlErUAL+qtLaQQTqVvBVnwR9yT74izZ48f0mX8zHYMFJIk
mokioFqzl2ZVF98JBLSy6sNTZfO+eg98g3uDVRwq9JyvsWp1OJ94BvoXFZX7ETDM
Z53Hp5s3YUNRptlIvzre/foKg4MZB8BNUsEUdgaGOeoXho7jDA==
-----END CERTIFICATE-----
It's seemingly self-signed, but then again -- not. When I call openssl:
$ openssl verify -CApath /dev/null -CAfile weird.crt weird.crt
weird.crt: /CN=WMSvc-WIN-EEBHLC81GJ8
error 20 at 0 depth lookup:unable to get local issuer certificate
Interestingly the lookup fails at depth 0 (!). If a parent certificate
were missing, I'd expect a lookup fail at depth 1.
When I create a self-signed certificate:
$ openssl req -new -x509 -nodes -out foobar.crt
And check it then:
$ openssl verify -CApath /dev/null -CAfile foobar.crt foobar.crt
foobar.crt: OK
I'm puzzled and before jumping to conclusions wanted to ask you first
what you think of that.
Best regards,
Johannes
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org