Re: Certificate Verify and non-root Trust Anchors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Victor,

does it matter that we are not in the TLS case (maybe the code is different in the SSL_CTX ) ? I am just trying to validate the chain with the TA set to the SubCA... :D

IMHO, the correct (or, better, the expected) behavior (from a developer's standpoint) would be to trust keys in the trusted certificates list, no matter if they are in the form of a Self-Signed or non-Self-Signed certificate - after all, it is a Trust Anchor --> just a Public Key :D

Just my 2 cents...

Cheers,
Max


On 12/11/17 4:54 PM, Viktor Dukhovni wrote:

On Dec 11, 2017, at 6:27 PM, Michael Richardson <mcr@xxxxxxxxxxxx> wrote:

I believe that I ran into a similar problem where by I could not pin
('trust') an intermediate certificate (which was not self-signed) for the
purposes of verifying a CMS/PKCS7 object.

I don't have a solution, and I believe that work is required.
As I already mentioned a few times, the new X509_V_FLAG_PARTIAL_CHAIN
flag added in 1.0.2 addresses this issue.

To get pinning provide a trust store with just the pinned issuer CA,
and X509_V_FLAG_PARTIAL_CHAIN set.

With OpenSSL 1.1.0 one can also implement pinning by computing a TLSA
record for the pinned CA, and using OpenSSL's DANE support.  OpenSSL
does not do the DNS lookups to find TLSA records, that's up to the
application, so the TLSA records can be entirely synthetic (e.g.
derived from suitable hashes of a pinned CA cert or its public key).


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux