Re: How to check if the certificate is self signed

Taras P. Ivashchenko Fri, 02 Jan 2009 14:26:27 -0800

Victor, thanks for answer!
I will try to develop it.

> On Fri, Jan 02, 2009 at 02:05:10AM +0300, Taras P. Ivashchenko wrote:
> 
> > Hello, list!
> > 
> > I found in archive [0] discussion about how to check if
> > certificate is self-signed. But I can't find there solution how can I do it 
> > from application.
> > 
> > At the moment I need to check this (if given certificate is self-signed) 
> > from application I developed.
> > And now I simply compare Issuer and Subject, but it is not fully correct.
> > 
> > So my question is: how can I check if given certificate is self-signed from 
> > applicaton (python + python openssl module)?
> > By what criterion I can do this?
> 
> If there are X.509v3 extensions carrying the subject key identifier and
> the authority key id, the certificate is self-signed if these are "equal":
> 
>       X509v3 Subject Key Identifier:
>           0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00
>       X509v3 Authority Key Identifier:
>           keyid:0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00
> 
> Note the authority key identifier can be multi-valued of various types, but
> the subject key identifier is always the hash of the subject's public key.
> 
>       X509v3 Authority Key Identifier:
>           keyid:0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00
>           DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure 
> CA/emailaddress=postmas...@example.com
>           serial:E7:ED:11:3A:5F:51:0D:4D
> 
> If no authority keyid is present, but "Dirname" or "serial" are present,
> compare these with the subject DN or serial of the certificate. If the
> extension is missing, compare subject and issuer DNs.
> 
> Your code needs to be able compare DNs and parse the above extensions.
> 
> -- 
>       Viktor.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org



-- 
Тарас Иващенко (Taras Ivashchenko), OSCP
www.securityaudit.ru
----
"Software is like sex: it's better when it's free." - Linus Torvalds

pgpXRh9Lp3wXG.pgp
Description: PGP signature

Re: How to check if the certificate is self signed

Reply via email to