RE: Certificate validation problem - Openssl

This is a discussion on RE: Certificate validation problem - Openssl ; > -----Original Message----- > From: owner-openssl-users@openssl.org On Behalf Of Gerhard Gappmeier > Sent: Wednesday, 08 October, 2008 08:14 > I've a problem with validating self-signed certificates. > > In my use case it's possible (but unlikely) to have multiple self-signed ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: RE: Certificate validation problem

  1. RE: Certificate validation problem

    > -----Original Message-----
    > From: owner-openssl-users@openssl.org On Behalf Of Gerhard Gappmeier
    > Sent: Wednesday, 08 October, 2008 08:14


    > I've a problem with validating self-signed certificates.
    >
    > In my use case it's possible (but unlikely) to have multiple self-signed
    > certificates with the same commonName.


    More to the point, they are root CA certs -- selfsigned, AND used to sign
    child certs. Your problem is with child linkage, not selfsigned as such.

    > In the used protocol the URI field in subjectAltName fulfills the
    > purpose of distinguishing the application instances.
    >

    That appears to be irrelevant.

    > When validating a certificate using X509_verify_cert it seems that
    > OpenSSL finds the wrong certificate in the store
    > due to the same commonName and then the validation fails.
    >
    > As far as I understood the code - but I'm not sure - the problem is,
    > that X509_check_issued() that is called indirectly by
    > find_issuer() doesn't check the certificate serial number when searching
    > for the issuer certificate
    > and only looks for the commonName.
    > This happens because no AUTHORITY_KEYID (subject->akid) is available in
    > the subject structure. (why?)
    > See the screenshot for details.
    >

    Your screenshot came out totally illegible, at least for me.

    AKID is an optional extension, with several optional subformats.
    Do you have a copy (e.g. in a file) of the cert you want to validate
    i.e. the subject=child cert? If so, check the extension is present,
    and has (child.)AKID.keyid = parent.subjkeyid
    and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) .

    How did you obtain, or create, the child cert? (Commercial CA,
    inhouse CA, openssl CA.pl, openssl commandline, etc.)

    > The certificate of course has a serial number so I want this to be
    > checked when looking up a certificate in the store.


    Which cert? When you want to look up the parent you need attributes
    of the parent, not the child. If you want to look up the parent
    by issuer+serial (serial alone is not enough) (although in this case
    parent is selfsigned so its issuer and subject are the same),
    use child.AKID.(issuer+serial) as above.



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Certificate validation problem

    Thanks Dave,

    today I rechecked the dump of the certificates which cause the problem.
    The AUTHORITY_KEYID was really missing in them.
    They were created using some MS .Net stuff.
    My certificates which I create with openssl work fine.

    I told the guy who created the wrong certificates about the missing field.
    In our protocol this field is mandatory because our commonNames are not always
    unique.

    On Friday 10 October 2008 02:03:44 Dave Thompson wrote:
    > > -----Original Message-----
    > > From: owner-openssl-users@openssl.org On Behalf Of Gerhard Gappmeier
    > > Sent: Wednesday, 08 October, 2008 08:14
    > >
    > > I've a problem with validating self-signed certificates.
    > >
    > > In my use case it's possible (but unlikely) to have multiple self-signed
    > > certificates with the same commonName.

    >
    > More to the point, they are root CA certs -- selfsigned, AND used to sign
    > child certs. Your problem is with child linkage, not selfsigned as such.
    >
    > > In the used protocol the URI field in subjectAltName fulfills the
    > > purpose of distinguishing the application instances.

    >
    > That appears to be irrelevant.
    >
    > > When validating a certificate using X509_verify_cert it seems that
    > > OpenSSL finds the wrong certificate in the store
    > > due to the same commonName and then the validation fails.
    > >
    > > As far as I understood the code - but I'm not sure - the problem is,
    > > that X509_check_issued() that is called indirectly by
    > > find_issuer() doesn't check the certificate serial number when searching
    > > for the issuer certificate
    > > and only looks for the commonName.
    > > This happens because no AUTHORITY_KEYID (subject->akid) is available in
    > > the subject structure. (why?)
    > > See the screenshot for details.

    >
    > Your screenshot came out totally illegible, at least for me.
    >
    > AKID is an optional extension, with several optional subformats.
    > Do you have a copy (e.g. in a file) of the cert you want to validate
    > i.e. the subject=child cert? If so, check the extension is present,
    > and has (child.)AKID.keyid = parent.subjkeyid
    > and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) .
    >
    > How did you obtain, or create, the child cert? (Commercial CA,
    > inhouse CA, openssl CA.pl, openssl commandline, etc.)
    >
    > > The certificate of course has a serial number so I want this to be
    > > checked when looking up a certificate in the store.

    >
    > Which cert? When you want to look up the parent you need attributes
    > of the parent, not the child. If you want to look up the parent
    > by issuer+serial (serial alone is not enough) (although in this case
    > parent is selfsigned so its issuer and subject are the same),
    > use child.AKID.(issuer+serial) as above.
    >
    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org




+ Reply to Thread