[openssl-users] openssl verify and alt_chains

Jakob Bohm jb-openssl at wisemo.com
Thu Dec 31 17:55:20 UTC 2015

On 31/12/2015 18:12, Viktor Dukhovni wrote:
> On Thu, Dec 31, 2015 at 04:56:08PM +0000, Gareth Williams wrote:
>> I now try to cross-certify by adding another Root CA (Example Root CA) and
>> use that to sign the original Gareth Williams Policy CA certificate signing
>> request, then add this new certificate to the chain.crt file:
>> Gareth Williams Root CA               Example Root CA
>>            |                                   |
>> Gareth Williams Policy CA          Gareth Williams Policy CA
>>            |                                   |
>>            +----------------+------------------+
>>                             |
>>                 Gareth Williams Issuing CA
>>                             |
>>                 office.garethwilliams.me.uk
> You're not supposed to create two different untrusted intermediate
> certificates, include both and hope for a good outcome.  OpenSSL
> does not try all possible untrusted intermediates at every depth
> in the chain, that has exponential cost in the chain depth.
I believe it would be at worst linear in the number of offered/loaded
certificates, and in practice limited to much less by the number of
certificates actually having multiple candidates.

The other X509 libraries in common use (such as NSS) seem to cope just
fine, and have presumably managed to arrange their search algorithms to
not be subject to remote denial of service via combinatorial explosion.

> The alternate chain is built only when (by default) not doing
> "trusted first", and drops one of the previously selected untrusted
> certificates at a time (from the top of the chain) and looks for
> a match in the *trust* store.  This never looks at alternative
> untrusted certificates.
> Cross-sign a roots, not an intermediates, and include the cross-signed
> root in the trust store.  Then if a user happens to include the
> root CA in the chain that is not trusted but the trust store contains
> a cross-signed intermediate, you win.
And how would the code cope with a root that was cross signed by two
other roots, and was not itself on the trust list?  Wouldn't that be
indistinguishable from the OP's test scenario?


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list