On Mon, 16 Aug 2021 16:30:05 +0200, Ken Goldman wrote: > > On 8/16/2021 10:04 AM, Viktor Dukhovni wrote: > >> It seems as though the 'verify' command checks the issuer, > >> but not the signature of the certificate - the last parameter. > > > > As documented. > > Then I am not understanding the documentation. > > https://www.openssl.org/docs/man1.1.1/man1/verify.html > > says > > "The final operation is to check the validity of the certificate chain. > ... > The certificate signature is checked as well " > > However. my experience is that the certificate signature is not > checked. I can hand modify the validity, public key, or > signature, but the command still returns "OK". The documentation on '-check_ss_sig' finishes with this: "... This verification is disabled by default because it doesn't add any security." I'm sure this can be debated, but that's at least an explanation. Cheers, Richard -- Richard Levitte levitte@xxxxxxxxxxx OpenSSL Project http://www.openssl.org/~levitte/
