(top posting like the rest of the thread) What makes you think it is incorrect to check the Key Identifier (where present) before checking a signature against a key? What other reasonable purpose could the Key Identifier fields serve? On 03/04/2015 10:56, Erwann Abalea wrote: > (Forwarded to openssl-users) > > The subjectName of file4.pem matches the issuerName of > file3.pem, the signature block in file3.pem, when verified > with the public key of file4.pem, gives a correct signature > for the tbsCertificate of file3.pem. But Openssl also > (incorrectly, IMO) checks that file4.pem.SKI matches > file3.pem.AKI, and refuses to go further (here, AKI doesn't > match SKI). > > Le 03/04/2015 03:10, Yuting Chen a ?crit : > > I used OpenSSL to verify a certificate file (file3.pem) > > against another certificate file (file4.pem). OpenSSL > > reports that it cannot find the issuer of the cert in > > file3.pem; while when I displays file3.pem and file4.pem, > > it appears that the issuer of the cert in file3.pem is the > > same as the subject of the cert in file4.pem. Did I miss > > anything? P.S. Don't put your e-mail sig in the middle of the mail, it causes standards-compliant mail programs to cut off everything below it when replying (because everyting below the --<space> marker is, by definition, just the e-mail sig). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
