[openssl-dev] Cannot verify self-signed certificates?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Tue Dec 15 22:30:33 UTC 2015 

>>If I want to “partially” verify a certificate via the command-line
>>utility
>> - e.g. when I don’t have the issuing certificate at hand, is there a way
>> to tell openssl tool to go just as far as it can *without* climbing up
>>the
>> cert chain? I understand and agree that it significantly reduces the
>>value
>> of the verification - but in some [of my use] cases it is sufficient. If
>> it is not supported now - would it be possible to add such capability as
>> an option?
>
>What does "partially verify mean?  Without the issuer's public key, you
>can't check the signature, so all you can do is *parse* the certificate,
>but you can't *verify* it.

Yes, you’re 100% correct.

By “partially verify” I mean “check for (in)consistencies”, malformed
attributes, extensions disagreeing with “-purpose”, etc.

Also, I may not have *all* of the chain available - in which case I’d like
this command-line tool to stop at the last *available* certificate of the
verification chain, telling me whether the check was OK or not *within the
available chain*. 


>The "x509" utility parses certificates, what do you want to do that goes
>beyond parsing, but stops short of checking
>the issuer signature?

As I said above - match of the extensions to “-purpose”, for one thing…
“x509” just parses. But I guess you’re correct - if I don’t have the chain
to verify signatures, eyeballing the extensions printed with “-text
-noout" would in the end give the same result. Having a tool doing it for
me would be more convenient, but I see your point.

Also, in your next email you mention “openssl verify -partial_chain”.
Alas, I don’t see this option:

$ openssl version
OpenSSL 1.0.2e 3 Dec 2015
$ openssl verify --help
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose]
[-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2
...
recognized usages:
	sslclient 	SSL client
	sslserver 	SSL server
	nssslserver	Netscape SSL server
	smimesign 	S/MIME signing
	smimeencrypt	S/MIME encryption
	crlsign   	CRL signing
	any       	Any Purpose
	ocsphelper	OCSP helper
	timestampsign	Time Stamp signing
$ man verify

NAME
       verify - Utility to verify certificates.


SYNOPSIS
       openssl verify [-CApath directory] [-CAfile file] [-purpose
purpose] [-policy arg]
       [-ignore_critical] [-attime timestamp] [-check_ss_sig] [-crlfile
file] [-crl_download]
       [-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy]
[-inhibit_any] [-inhibit_map]
       [-x509_strict] [-extended_crl] [-use_deltas] [-policy_print]
[-no_alt_chains] [-untrusted
       file] [-help] [-issuer_checks] [-trusted file] [-verbose] [-]
[certificates]


DESCRIPTION
       The verify command verifies certificate chains.




Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151215/3a989136/attachment-0001.bin>

More information about the openssl-dev mailing list