question about certificate verify
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Mon Aug 26 14:39:40 UTC 2019
Is there a potential problem - if a certificate has multiple issues, such as bad signature and certificate expired? Would all of these conditions be reported, or only the first one detected?
Regards,
Uri
Sent from my iPhone
On Aug 26, 2019, at 10:11, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>> On Aug 26, 2019, at 5:24 AM, forston_shi at trendmicro.com wrote:
>>
>> We check a sub-certificate with a lot of root certificates.
>> We don’t want to check sub-certificate’s expire time, but we want to get an error when root certificate expired.
>>
>> I try to verify it by following option,
>> X509_VERIFY_PARAM* pm = X509_STORE_CTX_get0_param(xstore_ctx);
>> X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_NO_CHECK_TIME);
>>
>> iret = X509_verify_cert(xstore_ctx);
>>
>> But it also will ignore root certificate’s expire.
>>
>> So, can you give me some suggestion for my question.
>
> To ignore expiration of only the leaf certificate, you
> need a verification callback that checks the error
> reason at depth 0 and if it is expiration, returns
> "ok = 1" anyway.
>
> --
> Viktor.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5821 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190826/464d8393/attachment.bin>
More information about the openssl-users
mailing list