[openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?

Erwann Abalea erwann.abalea at opentrust.com
Mon Apr 6 16:40:28 UTC 2015

Le 04/04/2015 05:31, Jakob Bohm a écrit :
> (top posting like the rest of the thread)

(I don't like it either, but that's what Thunderbird proposes by default).

> What makes you think it is incorrect to check the Key
> Identifier (where present) before checking a signature
> against a key?

Because the presented file4.pem is a valid issuer certificate for the 
one found in file3.pem?
RFC5280 section 6.1 gives the validation algorithm, and the Key 
Identifier isn't mentioned.
6.1.3(a) checks for signature, validity, revocation status, and names 
(i.e. that issuercert.subjectName = cert.issuerName).

You're not supposed to follow exactly the same algorithm (or the one 
described in X.509), but whatever you choose, the result MUST be equivalent.

> What other reasonable purpose could the Key Identifier
> fields serve?

A helper to build a certificate chain to be passed to the validation 

> On 03/04/2015 10:56, Erwann Abalea wrote:
> > (Forwarded to openssl-users)
> >
> > The subjectName of file4.pem matches the issuerName of
> > file3.pem, the signature block in file3.pem, when verified
> > with the public key of file4.pem, gives a correct signature
> > for the tbsCertificate of file3.pem. But Openssl also
> > (incorrectly, IMO) checks that file4.pem.SKI matches
> > file3.pem.AKI, and refuses to go further (here, AKI doesn't
> > match SKI).
> >
> > Le 03/04/2015 03:10, Yuting Chen a écrit :
> > > I used OpenSSL to verify a certificate file (file3.pem)
> > > against another certificate file (file4.pem). OpenSSL
> > > reports that it cannot find the issuer of the cert in
> > > file3.pem; while when I displays file3.pem and file4.pem,
> > > it appears that the issuer of the cert in file3.pem is the
> > > same as the subject of the cert in file4.pem. Did I miss
> > > anything?
> P.S.
> Don't put your e-mail sig in the middle of the mail, it causes
> standards-compliant mail programs to cut off everything below
> it when replying (because everyting below the --<space> marker
> is, by definition, just the e-mail sig).

I know, I often forget to manually switch between "corporate" and "hard 
core" modes. And Thunderbird doesn't help.


More information about the openssl-users mailing list