On Thu, Mar 21, 2002 at 03:43:00PM -0500, Harald Koch wrote:
> So I'm attempting to verify a certificate with OpenSSL 0.9.7 snapshot
> (various versions). I trust my own CA, who's certificate is issued by a
> Root (self-signed) CA that I do not wish to trust, because it has also
> issued a CA certificate to Bad Guy Incorporated.
>
> Right now if I build a chain up to my trusted sub-CA and call
> X509_verify_cert, I get X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT or
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY errors, apparently because
> the verifier is trying to chain all the way up to a self-signed root
> certificate.
>
> If I override those errors (carefully, of course), I then get
> CERT_V_ERR_CERT_UNTRUSTED errors, because OpenSSL by default only trusts
> self-signed certificates.
>
> I can override these errors with a simple heuristic (check to see if the
> certificate in question is my trusted sub-CA cert, and reset the error
> if it matches), but I'm wondering if there is a better way to support
> sub-CAs?
No. As the structure is implemented currently, OpenSSL's internal
verification routines require the descent down to the self signed
root CA. It also implies, that once the root CA is part of the
list of trusted CAs, that the verification of all certificates
issued by what sub-CA ever will succeed (as long as no other
verification error occurs).
This problem arises because of the structure behind the PKI. If your
root CA cannot be trusted, you should also not trust the certificates
issued by its sub-CAs.
Another view onto the problem: there is "authentication" and "authorization".
That a certificate passes the verification process simply means, that
the "authenticity" of the certificate was verified. It does not mean,
that any kind of "authorization" automatically follows from this
check. That's a question of your policy (even though it is hard to
apply a usefule policy if authenticity is in question).
> (It gets worse; I'm also calling an OCSP Responder for Sub-CA, and
> OCSP_basic_verify checks to see if my Sub-CA is trusted for OCSP
> Signing, although in this case I don't understand why self-signed
> certificates are trusted and my sub-CA isn't).
Sorry, I never used the OCSP part, so I cannot comment on this point.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
