Re: How to check if the certificate is self signed
Victor, thanks for answer! I will try to develop it. On Fri, Jan 02, 2009 at 02:05:10AM +0300, Taras P. Ivashchenko wrote: Hello, list! I found in archive [0] discussion about how to check if certificate is self-signed. But I can't find there solution how can I do it from application. At the moment I need to check this (if given certificate is self-signed) from application I developed. And now I simply compare Issuer and Subject, but it is not fully correct. So my question is: how can I check if given certificate is self-signed from applicaton (python + python openssl module)? By what criterion I can do this? If there are X.509v3 extensions carrying the subject key identifier and the authority key id, the certificate is self-signed if these are equal: X509v3 Subject Key Identifier: 0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00 X509v3 Authority Key Identifier: keyid:0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00 Note the authority key identifier can be multi-valued of various types, but the subject key identifier is always the hash of the subject's public key. X509v3 Authority Key Identifier: keyid:0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00 DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure CA/emailaddress=postmas...@example.com serial:E7:ED:11:3A:5F:51:0D:4D If no authority keyid is present, but Dirname or serial are present, compare these with the subject DN or serial of the certificate. If the extension is missing, compare subject and issuer DNs. Your code needs to be able compare DNs and parse the above extensions. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru Software is like sex: it's better when it's free. - Linus Torvalds pgpXRh9Lp3wXG.pgp Description: PGP signature
Re: How to check if the certificate is self signed
Hello, list! I found in archive [0] discussion about how to check if certificate is self-signed. But I can't find there solution how can I do it from application. At the moment I need to check this (if given certificate is self-signed) from application I developed. And now I simply compare Issuer and Subject, but it is not fully correct. So my question is: how can I check if given certificate is self-signed from applicaton (python + python openssl module)? By what criterion I can do this? [0] http://marc.info/?t=11617606492r=1w=2 Thanks and Happy New Year! -- Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru Software is like sex: it's better when it's free. - Linus Torvalds pgpUjZzMWfqHO.pgp Description: PGP signature
Re: How to check if the certificate is self signed
On Fri, Jan 02, 2009 at 02:05:10AM +0300, Taras P. Ivashchenko wrote: Hello, list! I found in archive [0] discussion about how to check if certificate is self-signed. But I can't find there solution how can I do it from application. At the moment I need to check this (if given certificate is self-signed) from application I developed. And now I simply compare Issuer and Subject, but it is not fully correct. So my question is: how can I check if given certificate is self-signed from applicaton (python + python openssl module)? By what criterion I can do this? If there are X.509v3 extensions carrying the subject key identifier and the authority key id, the certificate is self-signed if these are equal: X509v3 Subject Key Identifier: 0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00 X509v3 Authority Key Identifier: keyid:0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00 Note the authority key identifier can be multi-valued of various types, but the subject key identifier is always the hash of the subject's public key. X509v3 Authority Key Identifier: keyid:0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00 DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure CA/emailaddress=postmas...@example.com serial:E7:ED:11:3A:5F:51:0D:4D If no authority keyid is present, but Dirname or serial are present, compare these with the subject DN or serial of the certificate. If the extension is missing, compare subject and issuer DNs. Your code needs to be able compare DNs and parse the above extensions. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: How to check if the certificate is self signed
If the subject and issuer are the same, then the cert is self-signed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bhat, Jayalakshmi Manjunath Sent: Wednesday, October 25, 2006 12:45 PM To: openssl-users@openssl.org Subject: How to check if the certificate is self signed Hi All, How do I check if the given certificate is self-signed? Thanks and Regards, Jaya DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to check if the certificate is self signed
On 10/25/06, Ambarish Mitra [EMAIL PROTECTED] wrote: If the subject and issuer are the same, then the cert is self-signed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bhat, Jayalakshmi Manjunath Sent: Wednesday, October 25, 2006 12:45 PM To: openssl-users@openssl.org Subject: How to check if the certificate is self signed Hi All, How do I check if the given certificate is self-signed? Thanks and Regards, Jaya DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Hi Ambarish Thanks for the reply How do i check the subject and the issuer of the self signed certificate Thanks and Regards Kaushal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to check if the certificate is self signed
If you have the base64 cert in your file system, just do this: openssl x509 -in cert.pem -inform PEM -noout -subject openssl x509 -in cert.pem -inform PEM -noout -issuer Hope this helps. Let us know. Ambarish. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kaushal Shriyan Sent: Wednesday, October 25, 2006 12:53 PM To: openssl-users@openssl.org Subject: Re: How to check if the certificate is self signed On 10/25/06, Ambarish Mitra [EMAIL PROTECTED] wrote: If the subject and issuer are the same, then the cert is self-signed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bhat, Jayalakshmi Manjunath Sent: Wednesday, October 25, 2006 12:45 PM To: openssl-users@openssl.org Subject: How to check if the certificate is self signed Hi All, How do I check if the given certificate is self-signed? Thanks and Regards, Jaya Hi Ambarish Thanks for the reply How do i check the subject and the issuer of the self signed certificate Thanks and Regards Kaushal DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to check if the certificate is self signed
Hi,just check if issuer and holder are the same!2006/10/25, Bhat, Jayalakshmi Manjunath [EMAIL PROTECTED]: Hi All, How do I check if the given certificate is self-signed?Thanks and Regards, Jaya__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] -- Vincenzo Sciarra
Re: How to check if the certificate is self signed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vincenzo Sciarra schrieb: Hi, Hello Vincenzo, just check if issuer and holder are the same! or do it the correct way: openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem should return: self_signed_cert.pem: OK 2006/10/25, Bhat, Jayalakshmi Manjunath [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: How do I check if the given certificate is self-signed? Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFP0He2iGqZUF3qPYRAnuMAJ9mTX9Y2zi6NE5tAjr6S7Xs88agkwCePY5/ M6rsSYpVLPO/OngbppoL8eI= =wAYf -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to check if the certificate is self signed
On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote: Vincenzo Sciarra schrieb: Hi, Hello Vincenzo, just check if issuer and holder are the same! or do it the correct way: openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem should return: self_signed_cert.pem: OK Indeed, technically a certificate with issuer and subject names identical is self-issued and may or may not be self signed. It has to be signed with its own key to be self signed which the above command checks. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to check if the certificate is self signed
On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote: Vincenzo Sciarra schrieb: Hi, Hello Vincenzo, just check if issuer and holder are the same! or do it the correct way: openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem should return: self_signed_cert.pem: OK Indeed, technically a certificate with issuer and subject names identical is self-issued and may or may not be self signed. It has to be signed with its own key to be self signed which the above command checks. Steve, Is there a difference between certificate issue and sign? I was under the impression that a certificate is said to be issued only when it is signed. Can there be a case when a cert is issued, but is not signed? Please enlighten. Best regards, Ambarish. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to check if the certificate is self signed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ambarish Mitra schrieb: Hello Ambarish, On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote: openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem should return: self_signed_cert.pem: OK Maestro Steve appended: Indeed, technically a certificate with issuer and subject names identical is self-issued and may or may not be self signed. It has to be signed with its own key to be self signed which the above command checks. Is there a difference between certificate issue and sign? I was under the impression that a certificate is said to be issued only when it is signed. Can there be a case when a cert is issued, but is not signed? Please enlighten. A certificate is _issued_ by a CA authority with a given name. But a certificate is _signed_ by a private key. It is always possible to have more than one certificate with the same subject name. Only the combination issuer name / serial number must be unique. (Last time I checked OpenSSL has problems with more than one CA certificate with the subject name...) Let assume the following scenario: * CA1: subj: CN=CA,issr: CN=CA, Ser: 1, Key: #1, signed: Key #1 * CA2: subj: CN=CA,issr: CN=CA, Ser: 2, Key: #2, Signed: Key #2 * Usr1: subj: CN=User1, issr: CN=CA, Ser: 3, Key: #3, Signed: Key #1 * Usr2: subj: CN=User2, issr: CN=CA, Ser: 4, Key: #4, Signed: Key #2 As far as I remember X509 does not totally disallow this, but OpenSSL will have problems to verify the user certificates: All certificates are issued by the CA with the name CN=CA, but they are signed alternatively by the keys #1 and #2... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFP4da2iGqZUF3qPYRAr7aAJwIfipWcSzyWupBwYr8TU23MGeDkQCghPFR xiztkrNLS6ypH3GZUICmUnc= =B59/ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to check if the certificate is self signed
Traditionally the term self-signed applied to certificates that are NOT signed by anybody but the owner of the given key pair. With all the relevant security implications. What is the purpose of checking for self-signed cert? To see if only the owner signed that key? Of to see that key owner ALSO signed the key? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goetz Babin-Ebell Sent: Wednesday, October 25, 2006 11:49 To: openssl-users@openssl.org Subject: Re: How to check if the certificate is self signed -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ambarish Mitra schrieb: Hello Ambarish, On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote: openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem should return: self_signed_cert.pem: OK Maestro Steve appended: Indeed, technically a certificate with issuer and subject names identical is self-issued and may or may not be self signed. It has to be signed with its own key to be self signed which the above command checks. Is there a difference between certificate issue and sign? I was under the impression that a certificate is said to be issued only when it is signed. Can there be a case when a cert is issued, but is not signed? Please enlighten. A certificate is _issued_ by a CA authority with a given name. But a certificate is _signed_ by a private key. It is always possible to have more than one certificate with the same subject name. Only the combination issuer name / serial number must be unique. (Last time I checked OpenSSL has problems with more than one CA certificate with the subject name...) Let assume the following scenario: * CA1: subj: CN=CA,issr: CN=CA, Ser: 1, Key: #1, signed: Key #1 * CA2: subj: CN=CA,issr: CN=CA, Ser: 2, Key: #2, Signed: Key #2 * Usr1: subj: CN=User1, issr: CN=CA, Ser: 3, Key: #3, Signed: Key #1 * Usr2: subj: CN=User2, issr: CN=CA, Ser: 4, Key: #4, Signed: Key #2 As far as I remember X509 does not totally disallow this, but OpenSSL will have problems to verify the user certificates: All certificates are issued by the CA with the name CN=CA, but they are signed alternatively by the keys #1 and #2... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFP4da2iGqZUF3qPYRAr7aAJwIfipWcSzyWupBwYr8TU23MGeDkQCghPFR xiztkrNLS6ypH3GZUICmUnc= =B59/ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to check if the certificate is self signed
On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote: It is always possible to have more than one certificate with the same subject name. Only the combination issuer name / serial number must be unique. (Last time I checked OpenSSL has problems with more than one CA certificate with the subject name...) Depends. If SKID/AKID is used to disambiguate that case OpenSSL should handle it properly. If not it will just use the first certificate it encounters which may not be the right one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to check if the certificate is self signed
On 10/25/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote: It is always possible to have more than one certificate with the same subject name. Only the combination issuer name / serial number must be unique. (Last time I checked OpenSSL has problems with more than one CA certificate with the subject name...) Depends. If SKID/AKID is used to disambiguate that case OpenSSL should handle it properly. If not it will just use the first certificate it encounters which may not be the right one. Perhaps Goetz is unaware (like I was until a few days ago) that when doing verification by directory that there can be multiple hash files in the directory for different certificates with the same DN/hash. (i.e., you can have a 084a349a.0 and a 084a349a.1 for two CA certificates with the same DN, but with different serial numbers and validity dates.) I had never run across any documentation that said anything about a number other than zero. I see now it is documented in doc/ssl/SSL_CTX_load_verify_locations.pod __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to check if the certificate is self signed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mouse schrieb: Traditionally the term self-signed applied to certificates that are NOT signed by anybody but the owner of the given key pair. With all the relevant security implications. What is the purpose of checking for self-signed cert? To see if only the owner signed that key? Of to see that key owner ALSO signed the key? My example was to clarify the difference between signing and issuing... checking for self signed key means checking that the signature of the certificate matches the public key set in the certificate. - From the security point of view checking for a self signed cert is worthless: Self signed certs are only useful if you got or verified it with a secure channel outside of the protocol you use. If somebody was able to modify it in between you are f*ed up anyway. Using self signed certs in any other way is only for people that pretend to do something secure... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFP6w/2iGqZUF3qPYRAg4GAJ4oHx3b3ihtlquIoiUGLOzqBVb0ngCdGHfA aFTFEsAE/bXwWLBHgs4Juts= =XfXM -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]