> -----Original Message----- > From: [EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier > Sent: Wednesday, 08 October, 2008 08:14
> I've a problem with validating self-signed certificates. > > In my use case it's possible (but unlikely) to have multiple self-signed > certificates with the same commonName. More to the point, they are root CA certs -- selfsigned, AND used to sign child certs. Your problem is with child linkage, not selfsigned as such. > In the used protocol the URI field in subjectAltName fulfills the > purpose of distinguishing the application instances. > That appears to be irrelevant. > When validating a certificate using X509_verify_cert it seems that > OpenSSL finds the wrong certificate in the store > due to the same commonName and then the validation fails. > > As far as I understood the code - but I'm not sure - the problem is, > that X509_check_issued() that is called indirectly by > find_issuer() doesn't check the certificate serial number when searching > for the issuer certificate > and only looks for the commonName. > This happens because no AUTHORITY_KEYID (subject->akid) is available in > the subject structure. (why?) > See the screenshot for details. > Your screenshot came out totally illegible, at least for me. AKID is an optional extension, with several optional subformats. Do you have a copy (e.g. in a file) of the cert you want to validate i.e. the subject=child cert? If so, check the extension is present, and has (child.)AKID.keyid = parent.subjkeyid and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) . How did you obtain, or create, the child cert? (Commercial CA, inhouse CA, openssl CA.pl, openssl commandline, etc.) > The certificate of course has a serial number so I want this to be > checked when looking up a certificate in the store. Which cert? When you want to look up the parent you need attributes of the parent, not the child. If you want to look up the parent by issuer+serial (serial alone is not enough) (although in this case parent is selfsigned so its issuer and subject are the same), use child.AKID.(issuer+serial) as above. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
