Hi all,
I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED
certificate with the authority-key-identifier extension, and when we are
trying to verify a SELF certificate using the function X509_verify_cert(),
the verification is failing.
Upon a deeper look into the function, the function is failing as follows...
When we call the X509_verify_cert() with the CTX,
Before calling this function we are initializing the CTX->cert with the
self-certificate, and we are adding the trusted-certificates in X509_STORE
using the function X509_STORE_add_cert().
In the X509_verify_cert()
1. checks whether CTX->cert (self-certificate) is self-signed certificate or
not by PUSHing the certificates into a chain.
2. It is looking for Trusted certificates whose subject name is same as the
Issuer Name of CTX->cert(ie., self-certificate) and pushing the certificates
into the chain in the CTX. Now we are checking the Trusted certificates are
Self-signed or not by calling the function X509_check_issued( ).
3. We are passing the subject and issuer certificates the same Trusted
Certificate. In this function we are checking the Serial Number of the
Issuer certificate with the Serial number in the extension Authorithy Key
Identifier of the Subject Certificate.
Here we are facing problem. The problem is ASN1_INTEGER_cmp( ) is failing.
The QUESTION is whether the Serial Number in the Trusted Certificate should
be SAME as the Serial Number in the Authority Key Identifier extension?
If the two need not be the same then we feel that there is a bug in the
X509_check_issued ( ) function as we are using it to verify whether the
certificate is self-signed or not.
I would be thankful for any help regarding this question..
Regards
Suram
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
