[openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates
Brian Smith
brian at briansmith.org
Fri Feb 27 22:31:34 UTC 2015
Short, Todd via RT <rt at openssl.org> wrote:
> Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer.
> Given that the subject certificate is self-signed, it means that the issuer and the subject are the same certificate. This change verifies that.
>
> Github link:
> https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b
Could you explain this more?
In your patch, there is a comment that says "Input certificate
(subject) is self signed." But, the test is that the issuer name
equals the subject name. That means the certificate is self-*issued*,
not self-*signed*.
Consider this chain:
{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 }
{ Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 }
{ Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor }
All three certificates are self-issued. The issuer of the first
certificate is not self-signed but it is self-issued. But, it being
self-issued doesn't matter because it isn't a trust anchor.
Consider this chain:
{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 }
{ Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 }
{ Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor }
The first certificate is self-signed and self-issued. It's issuer is
not self-signed or self-issued, so your patch would reject this chain.
But, this is a valid chain.
Cheers,
Brian
More information about the openssl-dev
mailing list