Client authentication certificate verification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Client authentication certificate verification

Sudarshan Raghavan
This is the CA - Leaf hierarchy I am testing with

Root CA > Intermediate CA 1 > Intermediate CA 2 > Leaf

Trusted certificates configured: Root CA and Intermediate CA 2

Client authenticates itself with this chain: Leaf > Intermediate CA 2 > Intermediate CA 1

I am using openssl 1.1.0f. This client authentication attempt is flagged as failed by OpenSSL. When I enable the X509_V_FLAG_PARTIAL_CHAIN flag, it passes. I was trying to understand why the partial chain flag is needed when the verification chain from Leaf to Root CA can be constructed using both the chain sent by the client and the certificates configured in trusted store. I looked at the code in build_chain function inside crypto/x509/x509_vfy.c. This is what I understand. If the issuer of Leaf certificate (Intermediate CA 2) is found in trusted store, the code will no longer look in the untrusted chain sent by the client. The code expects the chain to Root CA can be constructed from the trusted store itself. Given Intermediate CA 1 is not in the trusted store, it fails to construct the verification chain to Root CA and flags a failure. Did I understand this right? I assume in this scenario, enabling the partial chain flag is the way to go.

Regards,
Sudarshan

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Client authentication certificate verification

Sudarshan Raghavan
I understand that the trusted store must include Intermediate CA 1 or remove Intermediate CA 2 and just have the Root CA in it. I was trying things out to understand how client authentication works.

Regards,
Sudarshan

On Tue, Aug 22, 2017 at 10:37 AM, Sudarshan Raghavan <[hidden email]> wrote:
This is the CA - Leaf hierarchy I am testing with

Root CA > Intermediate CA 1 > Intermediate CA 2 > Leaf

Trusted certificates configured: Root CA and Intermediate CA 2

Client authenticates itself with this chain: Leaf > Intermediate CA 2 > Intermediate CA 1

I am using openssl 1.1.0f. This client authentication attempt is flagged as failed by OpenSSL. When I enable the X509_V_FLAG_PARTIAL_CHAIN flag, it passes. I was trying to understand why the partial chain flag is needed when the verification chain from Leaf to Root CA can be constructed using both the chain sent by the client and the certificates configured in trusted store. I looked at the code in build_chain function inside crypto/x509/x509_vfy.c. This is what I understand. If the issuer of Leaf certificate (Intermediate CA 2) is found in trusted store, the code will no longer look in the untrusted chain sent by the client. The code expects the chain to Root CA can be constructed from the trusted store itself. Given Intermediate CA 1 is not in the trusted store, it fails to construct the verification chain to Root CA and flags a failure. Did I understand this right? I assume in this scenario, enabling the partial chain flag is the way to go.

Regards,
Sudarshan


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users