[openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?
Jakob Bohm
jb-openssl at wisemo.com
Sat Apr 4 03:31:37 UTC 2015
(top posting like the rest of the thread)
What makes you think it is incorrect to check the Key
Identifier (where present) before checking a signature
against a key?
What other reasonable purpose could the Key Identifier
fields serve?
On 03/04/2015 10:56, Erwann Abalea wrote:
> (Forwarded to openssl-users)
>
> The subjectName of file4.pem matches the issuerName of
> file3.pem, the signature block in file3.pem, when verified
> with the public key of file4.pem, gives a correct signature
> for the tbsCertificate of file3.pem. But Openssl also
> (incorrectly, IMO) checks that file4.pem.SKI matches
> file3.pem.AKI, and refuses to go further (here, AKI doesn't
> match SKI).
>
> Le 03/04/2015 03:10, Yuting Chen a écrit :
> > I used OpenSSL to verify a certificate file (file3.pem)
> > against another certificate file (file4.pem). OpenSSL
> > reports that it cannot find the issuer of the cert in
> > file3.pem; while when I displays file3.pem and file4.pem,
> > it appears that the issuer of the cert in file3.pem is the
> > same as the subject of the cert in file4.pem. Did I miss
> > anything?
P.S.
Don't put your e-mail sig in the middle of the mail, it causes
standards-compliant mail programs to cut off everything below
it when replying (because everyting below the --<space> marker
is, by definition, just the e-mail sig).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list