[openssl-users] Certificate Verify and non-root Trust Anchors

Tue Dec 12 01:15:00 UTC 2017

Hi Victor,

Ahhhh... that is why :D I wrongly assumed that the newly created 
parameters would hold the same initialization. This approach works!

Thanks again!

Cheers,
Max

On 12/11/17 5:45 PM, Viktor Dukhovni wrote:
>
>> On Dec 11, 2017, at 7:35 PM, Dr. Pala <madwolf at openca.org> wrote:
>>
>>> Perhaps you ended up creating a parameter structure with a
>>> depth limit that's too small.  Just configuring partial
>>> chains will never yield a chain that is longer than it
>>> otherwise would be.  In fact you generally get shorter
>>> chains.  So, no this is not a result of using the
>>> new flag, but may be a result of how you're going about
>>> setting the flag.
>> I actually do not set anything but the flag in the verify parameter, that is (error checking removed for clarity):
>> param = X509_VERIFY_PARAM_new();
>> X509_STORE_CTX_set0_param(ctx, param);
>> X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
> There's the problem, you're creating new parameters, instead of
> modifying the default parameters.
>
> Instead, you must call:
>
> 	param = X509_STORE_CTX_get0_param(ctx);
>          X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
>
>> With this setting, I get the error..
> Not surprising, the parameters you created don't have the default depth
> setting.
>
>> which is the strange part as you said (the chain can not be longer :D). Maybe the code thinks that if you have a SubCA then you should have an additional level.. and since you do not have it, it sends the error... ???
>>>> ... any suggestion on how to fix this ? Do you think it is actually a bug ? ... or am I missing some other configs / setting I should have done for the verify param ?
>>>>
>>> You should obtain a reference to the existing parameters
>>> from the context, and modify these to add the new flag.
>>>
>>>
>> Well.. considering the code structure, the flags should be ok
>> (since I just set it and then use it right away...) ???
> Actually, no.  You're losing all the verification parameter initialization
> done by X509_STORE_CTX_new():
>
>      ctx->param = X509_VERIFY_PARAM_new();
>      if (!ctx->param) {
>          X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
>          return 0;
>      }
>
>      /*
>       * Inherit callbacks and flags from X509_STORE if not set use defaults.
>       */
>      if (store)
>          ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
>      else
>          ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
>
>      if (store) {
>          ctx->verify_cb = store->verify_cb;
>          /* Seems to always be 0 in OpenSSL, else must be idempotent */
>          ctx->cleanup = store->cleanup;
>      } else
>          ctx->cleanup = 0;
>
>      if (ret)
>          ret = X509_VERIFY_PARAM_inherit(ctx->param,
>                                          X509_VERIFY_PARAM_lookup("default"));
>