Misunderstanding openssl verify
levitte at openssl.org
Mon Aug 16 20:20:58 UTC 2021
On Mon, 16 Aug 2021 16:30:05 +0200,
Ken Goldman wrote:
> On 8/16/2021 10:04 AM, Viktor Dukhovni wrote:
> >> It seems as though the 'verify' command checks the issuer,
> >> but not the signature of the certificate - the last parameter.
> > As documented.
> Then I am not understanding the documentation.
> "The final operation is to check the validity of the certificate chain.
> The certificate signature is checked as well "
> However. my experience is that the certificate signature is not
> checked. I can hand modify the validity, public key, or
> signature, but the command still returns "OK".
The documentation on '-check_ss_sig' finishes with this:
"... This verification is disabled by default because it doesn't add
I'm sure this can be debated, but that's at least an explanation.
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-users