Re: Verifying at any point in the chain

Wed, 08 Aug 2001 07:10:54 -0700 

On Tue, Aug 07, 2001 at 03:16:21PM -0700, Shaughnessy, Ian wrote:
> I'm working with someone else's code here, and I'm trying to figure out how
> to implement verification anywhere in a cert chain.  For example:
> 
> asd CA
>   |  
> lkjh CA
>   |  
> webserver
> 
> I want to be able to verify against the lkjh CA, not the asd CA, and lkjh is
> halfway down the chain.  I tried just taking the code we have right now,
> replacing the root cert file with one only containing the lkjh cert, but I
> get verify errors.  Here is an output with some test certificates:
...

The OpenSSL built in verification procedure does not support this type
of operation. It requires the certificate chain to end in a root CA
certificate (self signed).

> #1
> subject:'[EMAIL PROTECTED]/C=US/ST=Or/L=Portland/O=McAfee
> ASaP/OU=WebShield/CN=lkjh'
> ERROR: 20
> VERIFY ERROR: 20 'unable to get local issuer certificate'

This is the expression of the behaviour described above. The internal
verification procedure cannot find the "asd CA" certificate. It is not
included in the certificate chain sent by the server and (more important)
it is not listed in the trusted CA storage. (If it would be sent by the
server but not be found in trusted storage, you would see a "self signed
certificate in chain" error.)

With respect to the current implementation of OpenSSL (maybe the internal
verification procedure will be extended to support the technique of
only using intermediate CAs at some time in the future) is to either realize
your own complete verification procedure or (my recommondation) to
extend the verify_callback: If you hit the "unable to get local ..."
error, compare the certificate in question with the lkjh certificate
and override the verification result of the internal verification.

My best recommondation is however to supply the root CA certificates
and have a full verification performed!

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to