[openssl-users] Certificate Verify and non-root Trust Anchors

Viktor Dukhovni openssl-users at dukhovni.org
Mon Dec 11 23:54:22 UTC 2017



> On Dec 11, 2017, at 6:27 PM, Michael Richardson <mcr at sandelman.ca> wrote:
> 
> I believe that I ran into a similar problem where by I could not pin
> ('trust') an intermediate certificate (which was not self-signed) for the
> purposes of verifying a CMS/PKCS7 object.
> 
> I don't have a solution, and I believe that work is required.

As I already mentioned a few times, the new X509_V_FLAG_PARTIAL_CHAIN
flag added in 1.0.2 addresses this issue.

To get pinning provide a trust store with just the pinned issuer CA,
and X509_V_FLAG_PARTIAL_CHAIN set.

With OpenSSL 1.1.0 one can also implement pinning by computing a TLSA
record for the pinned CA, and using OpenSSL's DANE support.  OpenSSL
does not do the DNS lookups to find TLSA records, that's up to the
application, so the TLSA records can be entirely synthetic (e.g.
derived from suitable hashes of a pinned CA cert or its public key).

-- 
	Viktor.



More information about the openssl-users mailing list