Help for openssl verify command and its strange error message
Dear all, I generated a CA self-signed certificate and an EE certificate and try to verify the cert name chain using the openssl-0.9.7-beta3. openssl verify -issuer_checks -CAfile cacert.pem 01.pem I encounter the following message: 01.pem: /C=JP/O=TEST/OU=TESTORG/CN=EE01 error 29 at 0 depth lookup:subject issuer mismatch /C=JP/O=TEST/OU=TESTORG/CN=EE01 error 29 at 0 depth lookup:subject issuer mismatch /C=JP/O=TEST/OU=TESTORG/CN=EE01 error 29 at 0 depth lookup:subject issuer mismatch OK I check the subject and issuer names openssl x509 -in cacert.pem -noout -text Issuer: C=JP, O=TEST, OU=TESTORG, CN=TESTCA Validity Not Before: Nov 6 11:56:42 2002 GMT Not After : Oct 28 11:56:42 2037 GMT Subject: C=JP, O=TEST, OU=TESTORG, CN=TESTCA openssl x509 -in 01.pem -noout -text Issuer: C=JP, O=TEST, OU=TESTORG, CN=TESTCA Validity Not Before: Nov 6 11:56:55 2002 GMT Not After : Oct 29 11:56:55 2032 GMT Subject: C=JP, O=TEST, OU=TESTORG, CN=EE01 Looks ok to me. So I decide to see the exact content inside the binary file. openssl x509 -in 01.pem -outform DER -out 01.der openssl x509 -in cacert.pem -outform DER -out cacert.der dumpasn1 -hh cacert.der Hex value of CA's subject name 30 3F 31 0B 30 09 06 03 55 04 06 13 02 4A 50 31 0D 30 0B 06 03 55 04 0A dumpasn1 -hh 01.der ...Hex value of EE's issuer name 30 3F 31 0B 30 09 06 03 55 04 06 13 02 4A 50 31 0D 30 0B 06 03 55 04 0A I think that the two values are the same to me. Please let me know why the verify command tells me the subject issuer mismatch and how I could correct this problem. I am attaching the 2 certificate for your reference. Sincerely, -Kiyoshi Kiyoshi Watanabe Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, O=TEST, OU=TESTORG, CN=TESTCA Validity Not Before: Nov 6 11:56:55 2002 GMT Not After : Oct 29 11:56:55 2032 GMT Subject: C=JP, O=TEST, OU=TESTORG, CN=EE01 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a3:19:33:f3:da:8a:9c:21:c5:93:b3:21:d7:70: 5d:a0:76:dc:8a:0e:85:1f:d4:62:3e:ba:f1:a1:97: e7:de:2a:b8:96:f8:3f:cb:49:a9:2e:70:b4:ef:1d: 16:39:24:6e:0a:e1:d8:81:b1:c2:f0:fe:83:a8:1e: 58:d2:1d:e7:a1:a7:7b:a2:ac:50:bc:ba:d4:9d:0b: 69:e0:a1:95:93:49:d7:3d:0b:df:81:76:2d:39:68: b5:b9:05:b5:cc:2c:90:84:47:13:0b:a9:37:5b:ba: 96:19:62:cf:02:f1:b0:3c:3d:4f:6f:46:87:2f:39: d4:27:33:22:1c:95:ea:b3:03 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:46:26:51:EE:72:2D:33:85:87:D2:59:3A:4A:B2:F5:D3:60:0E:1F:64 X509v3 Subject Key Identifier: 73:09:C5:4D:6A:09:06:5C:E3:85:58:F1:72:FE:7D:0C:5F:1F:96:2A X509v3 Key Usage: critical Digital Signature X509v3 Certificate Policies: Policy: 0.2.440.20013.1.2002.1.10.1 X509v3 CRL Distribution Points: URI:ldap://h-re.pki-j-sim.jp/cn=TestCA,ou=TESTMM2,o=PPTG,c=JP?certificateRevocationList;binary Signature Algorithm: sha1WithRSAEncryption 6b:c6:6e:20:1b:c0:8c:97:ee:79:b6:2f:22:c8:84:ca:cd:89: c2:7b:4f:57:2d:07:c6:d7:0a:de:60:38:09:c2:f8:c0:a9:f8: 29:fd:9f:16:f0:cf:1a:51:a9:12:7b:6a:ab:a6:4a:2b:10:f0: 32:28:66:f7:32:80:30:f7:4d:24:38:dd:e6:5f:86:61:70:1a: 3e:71:b5:69:85:e5:19:27:00:b3:3a:58:98:e3:cc:95:9d:5a: 9c:83:42:28:8f:53:ac:12:5a:13:2b:76:64:90:71:a1:0c:8f: 18:a5:f8:45:dc:5c:36:55:68:31:57:e6:99:90:72:b9:44:d2: 71:30:91:a4:d0:3f:48:9e:63:3c:fc:76:3c:41:61:10:35:ec: 43:0c:1c:09:10:17:b1:c8:d1:97:d8:ba:31:60:a6:8b:09:68: 38:cc:c1:78:35:6a:35:92:66:19:c7:e0:57:33:7a:c6:94:74: a3:c5:0f:e7:0c:ef:41:7a:84:df:85:a2:8f:6b:99:0a:24:e8: 45:d8:98:33:20:ca:e6:55:9e:d2:8d:cb:6d:25:13:38:2e:f2: 77:80:53:d9:6e:9c:4e:17:d6:85:41:d8:9a:df:6b:91:74:1d: e9:62:a1:ca:78:42:cc:4b:00:64:ca:87:14:1d:5f:42:fe:07: 32:92:05:77 -BEGIN CERTIFICATE- MIIDTzCCAjegAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGEwJKUDEN MAsGA1UEChMEVEVTVDEQMA4GA1UECxMHVEVTVE9SRzEPMA0GA1UEAxMGVEVTVENB MB4XDTAyMTEwNjExNTY1NVoXDTMyMTAyOTExNTY1NVowPTELMAkGA1UEBhMCSlAx DTALBgNVBAoTBFRFU1QxEDAOBgNVBAsTB1RFU1RPUkcxDTALBgNVBAMTBEVFMDEw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKMZM/PaipwhxZOzIddwXaB23IoO hR/UYj668aGX594quJb4P8tJqS5wtO8dFjkkbgrh2IGxwvD+g6geWNId56Gne6Ks ULy61J0LaeChlZNJ1z0L34F2LTlotbkFtcwskIRHEwupN1u6lhlizwLxsDw9T29G hy851CczIhyV6rMDAgMBAAGjgdswgdgwHwYDVR0jBBgwFoAURiZR7nItM4WH0lk6
Re: Help for openssl verify command and its strange error message
In message [EMAIL PROTECTED] on Wed, 06 Nov 2002 21:23:24 +0900 (JST), Kiyoshi WATANABE [EMAIL PROTECTED] said: kiyoshi openssl verify -issuer_checks -CAfile cacert.pem 01.pem kiyoshi kiyoshi I encounter the following message: kiyoshi kiyoshi 01.pem: /C=JP/O=TEST/OU=TESTORG/CN=EE01 kiyoshi error 29 at 0 depth lookup:subject issuer mismatch kiyoshi /C=JP/O=TEST/OU=TESTORG/CN=EE01 kiyoshi error 29 at 0 depth lookup:subject issuer mismatch kiyoshi /C=JP/O=TEST/OU=TESTORG/CN=EE01 kiyoshi error 29 at 0 depth lookup:subject issuer mismatch kiyoshi OK That happens because there are 3 calls to check_issued (in x509_vfy.c) that are used to check if the current certificate is self-issued (which means this check is performed 3 times with your EE certificate). check_issued() looks like this: static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { int ret; ret = X509_check_issued(issuer, x); if (ret == X509_V_OK) return 1; /* If we haven't asked for issuer errors don't set ctx */ if (!(ctx-flags X509_V_FLAG_CB_ISSUER_CHECK)) return 0; ctx-error = ret; ctx-current_cert = x; ctx-current_issuer = issuer; return ctx-verify_cb(0, ctx); return 0; } Since -issuer_checks sets the X509_V_FLAG_CB_ISSUER_CHECK flag and 'issuer' isn't the issuer of 'x' during those three calls, you can see how come the callback gets called those three times. The callback in question is the onw in apps/verify.c, which writes those lines you saw. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Help for openssl verify command and its strange error message
In message [EMAIL PROTECTED] on Wed, 06 Nov 2002 15:12:28 +0100 (CET), Richard Levitte - VMS Whacker [EMAIL PROTECTED] said: levitte In message [EMAIL PROTECTED] on Wed, 06 Nov 2002 21:23:24 +0900 (JST), Kiyoshi WATANABE [EMAIL PROTECTED] said: levitte levitte kiyoshi openssl verify -issuer_checks -CAfile cacert.pem 01.pem levitte kiyoshi levitte kiyoshi I encounter the following message: levitte kiyoshi levitte kiyoshi 01.pem: /C=JP/O=TEST/OU=TESTORG/CN=EE01 levitte kiyoshi error 29 at 0 depth lookup:subject issuer mismatch levitte kiyoshi /C=JP/O=TEST/OU=TESTORG/CN=EE01 levitte kiyoshi error 29 at 0 depth lookup:subject issuer mismatch levitte kiyoshi /C=JP/O=TEST/OU=TESTORG/CN=EE01 levitte kiyoshi error 29 at 0 depth lookup:subject issuer mismatch levitte kiyoshi OK levitte levitte That happens because there are 3 calls to check_issued (in x509_vfy.c) levitte that are used to check if the current certificate is self-issued levitte (which means this check is performed 3 times with your EE levitte certificate). check_issued() looks like this: levitte levitte static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) levitte { levitteint ret; levitteret = X509_check_issued(issuer, x); levitteif (ret == X509_V_OK) levittereturn 1; levitte/* If we haven't asked for issuer errors don't set ctx */ levitteif (!(ctx-flags X509_V_FLAG_CB_ISSUER_CHECK)) levittereturn 0; levitte levittectx-error = ret; levittectx-current_cert = x; levittectx-current_issuer = issuer; levittereturn ctx-verify_cb(0, ctx); levittereturn 0; levitte } levitte levitte levitte Since -issuer_checks sets the X509_V_FLAG_CB_ISSUER_CHECK flag and levitte 'issuer' isn't the issuer of 'x' during those three calls, you can see levitte how come the callback gets called those three times. The callback in levitte question is the onw in apps/verify.c, which writes those lines you levitte saw. In other words, you don't need to worry about those lines... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Help for openssl verify command and its strange error message
In message [EMAIL PROTECTED] on Wed, 06 Nov 2002 23:58:06 +0900 (JST), Kiyoshi WATANABE [EMAIL PROTECTED] said: kiyoshi Does this mean that openssl verify command does not check the name kiyoshi chain and if I put the correct value in the issuer of x in kiyoshi apps/verify.c, I would not get the error? or does it check in kiyoshi somewhere else? The check happens somwhere else. The chain is still verified, and the crucial thing to look at is if you got OK at the end. If not, then it's time to look at those issuer_checks lines. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]