How to find correct issuer certificate in multi-level hierarchy?
Hi,
Is there a way in which I can determine the correct issuer certificate of
an issued certificate(either intermediate CA or end entity) based on
comparing immediate pair alone.
Eg:
My hierarchy is like this:
Root
Intermediate CA 1
Intermediate CA 2
End entity
Is it possible to determine that Intermediate CA2 is the issuer of the End
entity certificate without having to traverse the full hierarchy?
I do not want to depend upon issuername-subjectname comparisons alone(As
this is not deterministic and conclusive).
I do not want to depend upon Authority Key Identifier /Subject Key
Identifier's keyId fields(As most CAs seem to not have this extension at
all)
Basically I want some signature check method from openSSL can take two
certificates as input and tell me if one has issued the other:
int openSSL_signature_check(X509* issuer_certificate, X509*
issued_certificate)
{
int return_code = signature_check(issuer_certificate,
issued_certificate)
if (0 == return_code)
return YES_ISSUER_IS_CORRECT;
else
return NO_ISSUER_IS_NOT_CORRECT;
}
Is something like this already available in openSSL?
One more question:
Given a certificate and trust store, openSSL's verify utility currently
returns OK in case the verification was successful. Is there a way in which
I can retrieve the formed and verified chain of certificates back?
--
Ashok
Re: How to find correct issuer certificate in multi-level hierarchy?
On 8/2/2012 10:04 AM, Ashok C wrote:
Hi,
Is there a way in which I can determine the correct issuer certificate
of an issued certificate(either intermediate CA or end entity) based
on comparing immediate pair alone.
Eg:
My hierarchy is like this:
Root
Intermediate CA 1
Intermediate CA 2
End entity
Is it possible to determine that Intermediate CA2 is the issuer of the
End entity certificate without having to traverse the full hierarchy?
I do not want to depend upon issuername-subjectname comparisons
alone(As this is not deterministic and conclusive).
I do not want to depend upon Authority Key Identifier /Subject Key
Identifier's keyId fields(As most CAs seem to not have this extension
at all)
Those two are the standard ways though (specifically, doing both if
Authority Key Identifier is present).
Basically I want some signature check method from openSSL can take two
certificates as input and tell me if one has issued the other:
int openSSL_signature_check(X509* issuer_certificate, X509*
issued_certificate)
{
int return_code = signature_check(issuer_certificate,
issued_certificate)
if (0 == return_code)
return YES_ISSUER_IS_CORRECT;
else
return NO_ISSUER_IS_NOT_CORRECT;
}
In other words you are looking for a function to verify a certificate
given exactly one possible issuer.
Is something like this already available in openSSL?
I guess it at least exists as an internal function called from the
verify code, so look at the source code for that and see if you find a
call to a function that does what you want.
Alternatively, you could set up a certificate collection object in
memory containing only the suspected issuer certificate and then pass
that as the trusted certificate collection to the certificate verify
function.
One more question:
Given a certificate and trust store, openSSL's verify utility
currently returns OK in case the verification was successful. Is there
a way in which I can retrieve the formed and verified chain of
certificates back?
I sure hope so, as it is very useful on the client side to decide which
certificates to provide to the other end.
--
Ashok
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
call:+4531131610
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: How to find correct issuer certificate in multi-level hierarchy?
On Thu, Aug 02, 2012, Ashok C wrote:
Hi,
Is there a way in which I can determine the correct issuer certificate of
an issued certificate(either intermediate CA or end entity) based on
comparing immediate pair alone.
Eg:
My hierarchy is like this:
Root
Intermediate CA 1
Intermediate CA 2
End entity
Is it possible to determine that Intermediate CA2 is the issuer of the End
entity certificate without having to traverse the full hierarchy?
I do not want to depend upon issuername-subjectname comparisons alone(As
this is not deterministic and conclusive).
I do not want to depend upon Authority Key Identifier /Subject Key
Identifier's keyId fields(As most CAs seem to not have this extension at
all)
Basically I want some signature check method from openSSL can take two
certificates as input and tell me if one has issued the other:
int openSSL_signature_check(X509* issuer_certificate, X509*
issued_certificate)
{
int return_code = signature_check(issuer_certificate,
issued_certificate)
if (0 == return_code)
return YES_ISSUER_IS_CORRECT;
else
return NO_ISSUER_IS_NOT_CORRECT;
}
Is something like this already available in openSSL?
You can use the function X509_verify to do this but you have to extract the
public key from the issuer using X509_get_pubkey.
One more question:
Given a certificate and trust store, openSSL's verify utility currently
returns OK in case the verification was successful. Is there a way in which
I can retrieve the formed and verified chain of certificates back?
There isn't a command line option to do this but the API call
X509_STORE_CTX_get1_chain will retrieve the chain from an X509_STORE_CTX
structure.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: How to find correct issuer certificate in multi-level hierarchy?
Thank you Jacob and Stephen.
That brings one more question which was posted by Klaus sometime back:
Hi!
I wrote a small program which dumps all root certificates from Windows
certificate store into a file. Then I use openssl to connect to Google and
validate its certificate:
openssl s_client -connect www.google.com:443 -CAfile dump.crt
When using openssl0.9.8k or openssl0.9.8x everything works as expected.
When using openssl1.0.0g or openssl 1.0.1c the certificate validation fails
with:
Verify return code: 10 (certificate has expired)
CONNECTED(016C)
depth=2 C = US, O = VeriSign, Inc., OU = Class 3 Public Primary
Certification Authority
verify error:num=10:certificate has expired
notAfter=Jan 7 23:59:59 2004 GMT
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=**Mountain View/O=Google Inc/CN=www.google.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
When analyzing the cafile with the dumped certificates from Windows
certificate store, I found out that there are two certificates for Verisign
with identical subject, whereas one is expired, the other not.
X.509 Certificate Information:
Version: 1
Serial Number (hex): 00e49efdf33ae80ecfa5113e19a424**0232
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Wed Jan 07 23:59:59 UTC 2004
Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Subject Public Key Algorithm: RSA
X.509 Certificate Information:
Version: 1
Serial Number (hex): 70bae41d10d92934b638ca7b03ccba**bf
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Tue Aug 01 23:59:59 UTC 2028
Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Subject Public Key Algorithm: RSA
Thus, it seems that openssl 0.9.8 just ignores the expired certificate and
searches if there is another valid one whereas openssl 1.0.0 stop with the
first expired certificate.
Is the new behavior the intended behavior? Is it possible to have the old
behavior also in new opensslversions?
Thanks
Klaus
Is this behaviour intended in openssl-1.0.0 ?
--
Ashok
On Fri, Aug 3, 2012 at 3:28 AM, Dr. Stephen Henson st...@openssl.orgwrote:
On Thu, Aug 02, 2012, Ashok C wrote:
Hi,
Is there a way in which I can determine the correct issuer certificate of
an issued certificate(either intermediate CA or end entity) based on
comparing immediate pair alone.
Eg:
My hierarchy is like this:
Root
Intermediate CA 1
Intermediate CA 2
End entity
Is it possible to determine that Intermediate CA2 is the issuer of the
End
entity certificate without having to traverse the full hierarchy?
I do not want to depend upon issuername-subjectname comparisons alone(As
this is not deterministic and conclusive).
I do not want to depend upon Authority Key Identifier /Subject Key
Identifier's keyId fields(As most CAs seem to not have this extension at
all)
Basically I want some signature check method from openSSL can take two
certificates as input and tell me if one has issued the other:
int openSSL_signature_check(X509* issuer_certificate, X509*
issued_certificate)
{
int return_code = signature_check(issuer_certificate,
issued_certificate)
if (0 == return_code)
return YES_ISSUER_IS_CORRECT;
else
return NO_ISSUER_IS_NOT_CORRECT;
}
Is something like this already available in openSSL?
You can use the function X509_verify to do this but you have to extract the
public key from the issuer using X509_get_pubkey.
One more question:
Given a certificate and trust store, openSSL's verify utility currently
returns OK in case the verification was successful. Is there a way in
which
I can retrieve the formed and verified chain of certificates back?
There isn't a command line option to do this but the API call
X509_STORE_CTX_get1_chain will retrieve the chain from an X509_STORE_CTX
structure.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
