Re: Help for openssl verify command and its strange error message

Wed, 06 Nov 2002 06:29:47 -0800 

In message <[EMAIL PROTECTED]> on Wed, 06 Nov 2002 
15:12:28 +0100 (CET), Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> said:

levitte> In message <[EMAIL PROTECTED]> on Wed, 06 
Nov 2002 21:23:24 +0900 (JST), Kiyoshi WATANABE <[EMAIL PROTECTED]> said:
levitte> 
levitte> kiyoshi> >openssl verify -issuer_checks -CAfile cacert.pem 01.pem
levitte> kiyoshi> 
levitte> kiyoshi> I encounter the following message:
levitte> kiyoshi> 
levitte> kiyoshi> 01.pem: /C=JP/O=TEST/OU=TESTORG/CN=EE01
levitte> kiyoshi> error 29 at 0 depth lookup:subject issuer mismatch
levitte> kiyoshi> /C=JP/O=TEST/OU=TESTORG/CN=EE01
levitte> kiyoshi> error 29 at 0 depth lookup:subject issuer mismatch
levitte> kiyoshi> /C=JP/O=TEST/OU=TESTORG/CN=EE01
levitte> kiyoshi> error 29 at 0 depth lookup:subject issuer mismatch
levitte> kiyoshi> OK
levitte> 
levitte> That happens because there are 3 calls to check_issued (in x509_vfy.c)
levitte> that are used to check if the current certificate is self-issued
levitte> (which means this check is performed 3 times with your EE
levitte> certificate).  check_issued() looks like this:
levitte> 
levitte> static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
levitte> {
levitte>        int ret;
levitte>        ret = X509_check_issued(issuer, x);
levitte>        if (ret == X509_V_OK)
levitte>                return 1;
levitte>        /* If we haven't asked for issuer errors don't set ctx */
levitte>        if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
levitte>                return 0;
levitte> 
levitte>        ctx->error = ret;
levitte>        ctx->current_cert = x;
levitte>        ctx->current_issuer = issuer;
levitte>        return ctx->verify_cb(0, ctx);
levitte>        return 0;
levitte> }
levitte> 
levitte> 
levitte> Since -issuer_checks sets the X509_V_FLAG_CB_ISSUER_CHECK flag and
levitte> 'issuer' isn't the issuer of 'x' during those three calls, you can see
levitte> how come the callback gets called those three times.  The callback in
levitte> question is the onw in apps/verify.c, which writes those lines you
levitte> saw.

In other words, you don't need to worry about those lines...

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to