In message <[EMAIL PROTECTED]> on Wed, 06 Nov 2002
21:23:24 +0900 (JST), Kiyoshi WATANABE <[EMAIL PROTECTED]> said:
kiyoshi> >openssl verify -issuer_checks -CAfile cacert.pem 01.pem
kiyoshi>
kiyoshi> I encounter the following message:
kiyoshi>
kiyoshi> 01.pem: /C=JP/O=TEST/OU=TESTORG/CN=EE01
kiyoshi> error 29 at 0 depth lookup:subject issuer mismatch
kiyoshi> /C=JP/O=TEST/OU=TESTORG/CN=EE01
kiyoshi> error 29 at 0 depth lookup:subject issuer mismatch
kiyoshi> /C=JP/O=TEST/OU=TESTORG/CN=EE01
kiyoshi> error 29 at 0 depth lookup:subject issuer mismatch
kiyoshi> OK
That happens because there are 3 calls to check_issued (in x509_vfy.c)
that are used to check if the current certificate is self-issued
(which means this check is performed 3 times with your EE
certificate). check_issued() looks like this:
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int ret;
ret = X509_check_issued(issuer, x);
if (ret == X509_V_OK)
return 1;
/* If we haven't asked for issuer errors don't set ctx */
if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
return 0;
ctx->error = ret;
ctx->current_cert = x;
ctx->current_issuer = issuer;
return ctx->verify_cb(0, ctx);
return 0;
}
Since -issuer_checks sets the X509_V_FLAG_CB_ISSUER_CHECK flag and
'issuer' isn't the issuer of 'x' during those three calls, you can see
how come the callback gets called those three times. The callback in
question is the onw in apps/verify.c, which writes those lines you
saw.
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
