Re: Verifying a timestamp signed using a cert issued by a sub CA (intermediate)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Nov 14, 2017, at 2:30 AM, Marcus Lundblad <marcus.lundblad@xxxxxxxxxxxx> wrote:
> 
> I'm trying to verify a timestamp that was signed using a signer
> certificate that has been issued by an intermediate CA.
> I'm only able to verify when specifying the intermediate CA certificate
> as "-untrusted" and the root CA cert as "-CAfile":

This means that:

  * OpenSSL either does not see or does not support the intermediate
    CA in the peer's message.
  * The root CA in question is not part of the default trust store.

> When running with just -CAfile pointing to the intermediate CA cert, I
> get:
> 
> Using configuration from /usr/lib/ssl/openssl.cnf
> Verification: FAILED
> 140693337339136:error:2F06D064:time stamp
> routines:ts_verify_cert:certificate verify
> error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get
> issuer certificate

For validation based on just the intermediate CA, you'd need
to enable "partial chains", which are supported in the 1.1.0
"ts" command via the "-partial_chain" option:

   https://www.openssl.org/docs/man1.1.0/apps/ts.html


> And if setting -CAfile to point to the root CA cert:
> 
> Using configuration from /usr/lib/ssl/openssl.cnf
> Verification: FAILED
> 140228374308096:error:2F06D064:time stamp
> routines:ts_verify_cert:certificate verify
> error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get local
> issuer certificate

Looking at the TS code in OpenSSL, it seems that the peer's
chain is not used in the way one might expect (to help construct
the untrusted portion of the chain).  Rather, surprisingly, it
looks like the peer's certificates appear to be used as a "constraint"
on the constructed chain, and verification fails some chain element
was not provided by the peer.  I don't know why this is done.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux