Le 04/04/2015 05:31, Jakob Bohm a écrit :
(top posting like the rest of the thread)

(I don't like it either, but that's what Thunderbird proposes by default).

What makes you think it is incorrect to check the Key
Identifier (where present) before checking a signature
against a key?

Because the presented file4.pem is a valid issuer certificate for the one found in file3.pem? RFC5280 section 6.1 gives the validation algorithm, and the Key Identifier isn't mentioned. 6.1.3(a) checks for signature, validity, revocation status, and names (i.e. that issuercert.subjectName = cert.issuerName).

You're not supposed to follow exactly the same algorithm (or the one described in X.509), but whatever you choose, the result MUST be equivalent.

What other reasonable purpose could the Key Identifier
fields serve?

A helper to build a certificate chain to be passed to the validation algorithm.

On 03/04/2015 10:56, Erwann Abalea wrote:
> (Forwarded to openssl-users)
>
> The subjectName of file4.pem matches the issuerName of
> file3.pem, the signature block in file3.pem, when verified
> with the public key of file4.pem, gives a correct signature
> for the tbsCertificate of file3.pem. But Openssl also
> (incorrectly, IMO) checks that file4.pem.SKI matches
> file3.pem.AKI, and refuses to go further (here, AKI doesn't
> match SKI).
>
> Le 03/04/2015 03:10, Yuting Chen a écrit :
> > I used OpenSSL to verify a certificate file (file3.pem)
> > against another certificate file (file4.pem). OpenSSL
> > reports that it cannot find the issuer of the cert in
> > file3.pem; while when I displays file3.pem and file4.pem,
> > it appears that the issuer of the cert in file3.pem is the
> > same as the subject of the cert in file4.pem. Did I miss
> > anything?

P.S.

Don't put your e-mail sig in the middle of the mail, it causes
standards-compliant mail programs to cut off everything below
it when replying (because everyting below the --<space> marker
is, by definition, just the e-mail sig).

I know, I often forget to manually switch between "corporate" and "hard core" modes. And Thunderbird doesn't help.

--
Erwann ABALEA

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to