Re: Doubt regarding x509_verify_cert
The Bridge CA is a CA(hub) to bridge the two different CAs, so no need to have a Self-signed certificate for BridgeCA. If you are relying party in Root CA1 domain and if you want to create a certificate path, you will probably have: SelfCert1byRootCA1, CrossCertFromRootCA1toBridgeCA, CrossCertFromBridgeCAtoRootCA2, UserCertByRootCA2 - Original Message - From: "Suram Chandra Sekhar" <[EMAIL PROTECTED]> To: Sent: Friday, December 09, 2005 10:22 PM Subject: Doubt regarding x509_verify_cert Hi, I have a doubt regarding the x509_verify_cert. I used openssl to generate two Root CA certificates (Self signed) say Root CA1, Root CA2. I got two self-certificates say SelfCert1 from Root CA1 and SelfCert2 from Root CA2. In an effort to simulate a bridge CA, one more root CA is generated say BridgeCA. I simulated a cross certification to RootCA1 by BridgeCA (Say CCofRootCA1ByBridgeCA with Issuer as BridgeCA, Subject: RootCA1, PubKey of RootCA1). Now I try to verfiy SelfCert1, CCofRootCA1ByBridgeCA, BridgeCA using x509_verify_cert. This function is throwing an error saying "unable to find the local issuer cert" for SelfCert1. My question is 1. Is the above scenario correct. 2. If so why should it fail. I expect it to work because The issuer name of SelfCert1(RootCA1) is the subject name in CCofRootCA1ByBridgeCA whose IssuerName, BridgeCA is the subjectName in BridgeCA which is self-signed. Awaiting your valuable responses... Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Doubt regarding x509_verify_cert
Hi, I have a doubt regarding the x509_verify_cert. I used openssl to generate two Root CA certificates (Self signed) say Root CA1, Root CA2. I got two self-certificates say SelfCert1 from Root CA1 and SelfCert2 from Root CA2. In an effort to simulate a bridge CA, one more root CA is generated say BridgeCA. I simulated a cross certification to RootCA1 by BridgeCA (Say CCofRootCA1ByBridgeCA with Issuer as BridgeCA, Subject: RootCA1, PubKey of RootCA1). Now I try to verfiy SelfCert1, CCofRootCA1ByBridgeCA, BridgeCA using x509_verify_cert. This function is throwing an error saying "unable to find the local issuer cert" for SelfCert1. My question is 1. Is the above scenario correct. 2. If so why should it fail. I expect it to work because The issuer name of SelfCert1(RootCA1) is the subject name in CCofRootCA1ByBridgeCA whose IssuerName, BridgeCA is the subjectName in BridgeCA which is self-signed. Awaiting your valuable responses... Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Doubt regarding x509_verify_cert
Hi all, I hava a doubt regarding X509_verify_cert. What I understand from the documentation of "verify" is that we need to pass all the trusted certs and all the un-trusted certs. X509_verify_cert will construct the cert chain upto the ROOT CA and then validates the chain and finally verify the self-certificate. In this case as I understand, this function expects the ROOT CA to be self-signed and it MUST be present in the trusted list. 1. Is it MUST that the Root CA be self-signed. The reason is that the trust anchor up to which the application MAY verify need not be the ROOT CA. Is there any way where I can indicate the function to return success even if the chain is not complete. Awaiting your valuable responses Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: doubt regarding X509_verify_cert
Hi all and Hello Dr. Henson, please find attached files: cacert.pem - trusted certificate cakey.pem - trusted certificate's private key. selfcert.pem - certificate signed by the given trusted certificate. The following is the output when we try to use openssl verify utility: $ openssl verify -CApath /usr/local/lib/openscep/ -CAfile cacert.pem -verbose -issuer_checks tmp.pem tmp.pem: /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 2 at 1 depth lookup:unable to get issuer certificate We could not make any progress with the OpenSSL verify utility as well. I request u to help us in this regard... Awaiting your valuable Response Regards Suram > I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED > certificate with the authority-key-identifier extension, and when we are > trying to verify a SELF certificate using the function X509_verify_cert(), > the verification is failing. Upon a deeper look into the function, the function is failing as follows... When we call the X509_verify_cert() with the CTX, Before calling this function we are initializing the CTX->cert with the self-certificate, and we are adding the trusted-certificates in X509_STORE using the function X509_STORE_add_cert(). In the X509_verify_cert() 1. checks whether CTX->cert (self-certificate) is self-signed certificate or not by PUSHing the certificates into a chain. 2. It is looking for Trusted certificates whose subject name is same as the Issuer Name of CTX->cert(ie., self-certificate) and pushing the certificates into the chain in the CTX. Now we are checking the Trusted certificates are Self-signed or not by calling the function X509_check_issued( ). 3. We are passing the subject and issuer certificates the same Trusted Certificate. In this function we are checking the Serial Number of the Issuer certificate with the Serial number in the extension Authorithy Key Identifier of the Subject Certificate. Here we are facing problem. The problem is ASN1_INTEGER_cmp( ) is failing. The QUESTION is whether the Serial Number in the Trusted Certificate should be SAME as the Serial Number in the Authority Key Identifier extension? If the two need not be the same then we feel that there is a bug in the X509_check_issued ( ) function as we are using it to verify whether the certificate is self-signed or not. I would be thankful for any help regarding this question.. Regards Suram I've already responded to this in openssl-dev: Does this fail with the OpenSSL verify utility? If so what is the failure reason? Also try it with the -issuer_checks command line option. If that doesn't help much then if you could send me the certificate(s) causing the trouble I'll investigate further. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- -- Rama Krishna Prasad Chunduru Software engineer Intoto Software(I) Pvt Ltd Kharkhana Secundrabad selfcert.pem cacert.pem cakey.pem
doubt regarding X509_verify_cert
Hi all, I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED certificate with the authority-key-identifier extension, and when we are trying to verify a SELF certificate using the function X509_verify_cert(), the verification is failing. Upon a deeper look into the function, the function is failing as follows... When we call the X509_verify_cert() with the CTX, Before calling this function we are initializing the CTX->cert with the self-certificate, and we are adding the trusted-certificates in X509_STORE using the function X509_STORE_add_cert(). In the X509_verify_cert() 1. checks whether CTX->cert (self-certificate) is self-signed certificate or not by PUSHing the certificates into a chain. 2. It is looking for Trusted certificates whose subject name is same as the Issuer Name of CTX->cert(ie., self-certificate) and pushing the certificates into the chain in the CTX. Now we are checking the Trusted certificates are Self-signed or not by calling the function X509_check_issued( ). 3. We are passing the subject and issuer certificates the same Trusted Certificate. In this function we are checking the Serial Number of the Issuer certificate with the Serial number in the extension Authorithy Key Identifier of the Subject Certificate. Here we are facing problem. The problem is ASN1_INTEGER_cmp( ) is failing. The QUESTION is whether the Serial Number in the Trusted Certificate should be SAME as the Serial Number in the Authority Key Identifier extension? If the two need not be the same then we feel that there is a bug in the X509_check_issued ( ) function as we are using it to verify whether the certificate is self-signed or not. I would be thankful for any help regarding this question.. Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]