Help for openssl verify command and its strange error message

Kiyoshi WATANABE Wed, 06 Nov 2002 05:23:02 -0800

Dear all,

I generated a CA self-signed certificate and an EE certificate and
try to verify the cert name chain using the openssl-0.9.7-beta3.


>openssl verify -issuer_checks -CAfile cacert.pem 01.pem

I encounter the following message:

01.pem: /C=JP/O=TEST/OU=TESTORG/CN=EE01
error 29 at 0 depth lookup:subject issuer mismatch
/C=JP/O=TEST/OU=TESTORG/CN=EE01
error 29 at 0 depth lookup:subject issuer mismatch
/C=JP/O=TEST/OU=TESTORG/CN=EE01
error 29 at 0 depth lookup:subject issuer mismatch
OK

I check the subject and issuer names

>openssl x509 -in cacert.pem -noout -text

        Issuer: C=JP, O=TEST, OU=TESTORG, CN=TESTCA
        Validity
            Not Before: Nov  6 11:56:42 2002 GMT
            Not After : Oct 28 11:56:42 2037 GMT
        Subject: C=JP, O=TEST, OU=TESTORG, CN=TESTCA

>openssl x509 -in 01.pem -noout -text

        Issuer: C=JP, O=TEST, OU=TESTORG, CN=TESTCA
        Validity
            Not Before: Nov  6 11:56:55 2002 GMT
            Not After : Oct 29 11:56:55 2032 GMT
        Subject: C=JP, O=TEST, OU=TESTORG, CN=EE01

Looks ok to me.

So I decide to see the exact content inside the binary file.

>openssl x509 -in 01.pem -outform DER -out 01.der
>openssl x509 -in cacert.pem -outform DER -out cacert.der

>dumpasn1 -hh cacert.der
.... Hex value of CA's subject name
30 3F 31 0B 30 09 06 03 55 04 06 13 02 4A 50 31 0D 30 0B 06 03 55 04 0A

>dumpasn1 -hh 01.der
...Hex value of EE's issuer name
30 3F 31 0B 30 09 06 03 55 04 06 13 02 4A 50 31 0D 30 0B 06 03 55 04 0A

I think that the two values are the same to me.

Please let me know why the verify command tells me the subject issuer
mismatch and how I could correct this problem.

I am attaching the 2 certificate for your reference.

Sincerely,

-Kiyoshi
Kiyoshi Watanabe

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, O=TEST, OU=TESTORG, CN=TESTCA
        Validity
            Not Before: Nov  6 11:56:55 2002 GMT
            Not After : Oct 29 11:56:55 2032 GMT
        Subject: C=JP, O=TEST, OU=TESTORG, CN=EE01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a3:19:33:f3:da:8a:9c:21:c5:93:b3:21:d7:70:
                    5d:a0:76:dc:8a:0e:85:1f:d4:62:3e:ba:f1:a1:97:
                    e7:de:2a:b8:96:f8:3f:cb:49:a9:2e:70:b4:ef:1d:
                    16:39:24:6e:0a:e1:d8:81:b1:c2:f0:fe:83:a8:1e:
                    58:d2:1d:e7:a1:a7:7b:a2:ac:50:bc:ba:d4:9d:0b:
                    69:e0:a1:95:93:49:d7:3d:0b:df:81:76:2d:39:68:
                    b5:b9:05:b5:cc:2c:90:84:47:13:0b:a9:37:5b:ba:
                    96:19:62:cf:02:f1:b0:3c:3d:4f:6f:46:87:2f:39:
                    d4:27:33:22:1c:95:ea:b3:03
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
            keyid:46:26:51:EE:72:2D:33:85:87:D2:59:3A:4A:B2:F5:D3:60:0E:1F:64

            X509v3 Subject Key Identifier: 
            73:09:C5:4D:6A:09:06:5C:E3:85:58:F1:72:FE:7D:0C:5F:1F:96:2A
            X509v3 Key Usage: critical
            Digital Signature
            X509v3 Certificate Policies: 
            Policy: 0.2.440.20013.1.2002.1.10.1

            X509v3 CRL Distribution Points: 
            
URI:ldap://h-re.pki-j-sim.jp/cn=TestCA,ou=TESTMM2,o=PPTG,c=JP?certificateRevocationList;binary

    Signature Algorithm: sha1WithRSAEncryption
        6b:c6:6e:20:1b:c0:8c:97:ee:79:b6:2f:22:c8:84:ca:cd:89:
        c2:7b:4f:57:2d:07:c6:d7:0a:de:60:38:09:c2:f8:c0:a9:f8:
        29:fd:9f:16:f0:cf:1a:51:a9:12:7b:6a:ab:a6:4a:2b:10:f0:
        32:28:66:f7:32:80:30:f7:4d:24:38:dd:e6:5f:86:61:70:1a:
        3e:71:b5:69:85:e5:19:27:00:b3:3a:58:98:e3:cc:95:9d:5a:
        9c:83:42:28:8f:53:ac:12:5a:13:2b:76:64:90:71:a1:0c:8f:
        18:a5:f8:45:dc:5c:36:55:68:31:57:e6:99:90:72:b9:44:d2:
        71:30:91:a4:d0:3f:48:9e:63:3c:fc:76:3c:41:61:10:35:ec:
        43:0c:1c:09:10:17:b1:c8:d1:97:d8:ba:31:60:a6:8b:09:68:
        38:cc:c1:78:35:6a:35:92:66:19:c7:e0:57:33:7a:c6:94:74:
        a3:c5:0f:e7:0c:ef:41:7a:84:df:85:a2:8f:6b:99:0a:24:e8:
        45:d8:98:33:20:ca:e6:55:9e:d2:8d:cb:6d:25:13:38:2e:f2:
        77:80:53:d9:6e:9c:4e:17:d6:85:41:d8:9a:df:6b:91:74:1d:
        e9:62:a1:ca:78:42:cc:4b:00:64:ca:87:14:1d:5f:42:fe:07:
        32:92:05:77
-----BEGIN CERTIFICATE-----
MIIDTzCCAjegAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGEwJKUDEN
MAsGA1UEChMEVEVTVDEQMA4GA1UECxMHVEVTVE9SRzEPMA0GA1UEAxMGVEVTVENB
MB4XDTAyMTEwNjExNTY1NVoXDTMyMTAyOTExNTY1NVowPTELMAkGA1UEBhMCSlAx
DTALBgNVBAoTBFRFU1QxEDAOBgNVBAsTB1RFU1RPUkcxDTALBgNVBAMTBEVFMDEw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKMZM/PaipwhxZOzIddwXaB23IoO
hR/UYj668aGX594quJb4P8tJqS5wtO8dFjkkbgrh2IGxwvD+g6geWNId56Gne6Ks
ULy61J0LaeChlZNJ1z0L34F2LTlotbkFtcwskIRHEwupN1u6lhlizwLxsDw9T29G
hy851CczIhyV6rMDAgMBAAGjgdswgdgwHwYDVR0jBBgwFoAURiZR7nItM4WH0lk6
SrL102AOH2QwHQYDVR0OBBYEFHMJxU1qCQZc44VY8XL+fQxfH5YqMA4GA1UdDwEB
/wQEAwIHgDAZBgNVHSAEEjAQMA4GDAKDOIGcLQGPUgEKATBrBgNVHR8EZDBiMGCg
XqBchlpsZGFwOi8vaC1yZS5wa2ktai1zaW0uanAvY249VGVzdENBLG91PVRFU1RN
TTIsbz1QUFRHLGM9SlA/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnkw
DQYJKoZIhvcNAQEFBQADggEBAGvGbiAbwIyX7nm2LyLIhMrNicJ7T1ctB8bXCt5g
OAnC+MCp+Cn9nxbwzxpRqRJ7aqumSisQ8DIoZvcygDD3TSQ43eZfhmFwGj5xtWmF
5RknALM6WJjjzJWdWpyDQiiPU6wSWhMrdmSQcaEMjxil+EXcXDZVaDFX5pmQcrlE
0nEwkaTQP0ieYzz8djxBYRA17EMMHAkQF7HI0ZfYujFgposJaDjMwXg1ajWSZhnH
4FczesaUdKPFD+cM70F6hN+Foo9rmQok6EXYmDMgyuZVntKNy20lEzgu8neAU9lu
nE4X1oVB2Jrfa5F0Heliocp4QsxLAGTKhxQdX0L+BzKSBXc=
-----END CERTIFICATE-----

Help for openssl verify command and its strange error message

Reply via email to