Verifying certificate was signed by a trusted Authority

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Verifying certificate was signed by a trusted Authority

michael Dorrian
I know SSL_CTX_load_verify_locations() loads the CAs you trust from a pem file that you store locally on your client machine but i cannot use this function as i dont want to read a pem file on the client side. I want to know if you can check to see if the server certificate presented was signed by a trusted certification authority or if its from a self signed CA. Is there any function in Openssl that can check for this?. I basically want to accomplish the same thing as when you connect to a secure server with your browser. If its a self signed certificate an extra dialog box appears warning you about this, if not this dialog box does not appear. I am not worried about the dialog boxes of course just a way of distinguishing between them. Is there a function in Openssl that does this?.


Yahoo! Travel
Find great deals to the top 10 hottest destinations!
Reply | Threaded
Open this post in threaded view
|

Re: Verifying certificate was signed by a trusted Authority

Kyle Hamilton
OpenSSL does not, by default, trust ANY certification authorities.
This means that you have to give it the certs directly.

It looks like the only way to do that at this point is to call the
(mostly) undocumented SSL_CTX_set_cert_store() function.  The best
documentation at this point is the source -- I'd suggest picking apart
the SSL_CTX_load_verify_locations() and figure out how it creates and
sets the store.

-Kyle H

On 3/14/06, michael Dorrian <[hidden email]> wrote:

> I know SSL_CTX_load_verify_locations() loads the CAs you trust from a pem
> file that you store locally on your client machine but i cannot use this
> function as i dont want to read a pem file on the client side. I want to
> know if you can check to see if the server certificate presented was signed
> by a trusted certification authority or if its from a self signed CA. Is
> there any function in Openssl that can check for this?. I basically want to
> accomplish the same thing as when you connect to a secure server with your
> browser. If its a self signed certificate an extra dialog box appears
> warning you about this, if not this dialog box does not appear. I am not
> worried about the dialog boxes of course just a way of distinguishing
> between them. Is there a function in Openssl that does this?.
>
>  ________________________________
> Yahoo! Travel
>  Find great deals to the top 10 hottest destinations!
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Verifying certificate was signed by a trusted Authority

michael Dorrian
Thanks for your reply. It makes sense that it does not trust any authority by default. I will try to research these functions a little more but it may be difficult to find a way to actually check that  it was signed by a trusted authority. Anyway i appreciate the help.

Kyle Hamilton <[hidden email]> wrote:
OpenSSL does not, by default, trust ANY certification authorities.
This means that you have to give it the certs directly.

It looks like the only way to do that at this point is to call the
(mostly) undocumented SSL_CTX_set_cert_store() function. The best
documentation at this point is the source -- I'd suggest picking apart
the SSL_CTX_load_verify_locations() and figure out how it creates and
sets the store.

-Kyle H

On 3/14/06, michael Dorrian wrote:

> I know SSL_CTX_load_verify_locations() loads the CAs you trust from a pem
> file that you store locally on your client machine but i cannot use this
> function as i dont want to read a pem file on the client side. I want to
> know if you can check to see if the server certificate presented was signed
> by a trusted certification authority or if its from a self signed CA. Is
> there any function in Openssl that can check for this?. I basically want to
> accomplish the same thing as when you connect to a secure server with your
> browser. If its a self signed certificate an extra dialog box appears
> warning you about this, if not this dialog box does not appear. I am not
> worried about the dialog boxes of course just a way of distinguishing
> between them. Is there a function in Openssl that does this?.
>
> ________________________________
> Yahoo! Travel
> Find great deals to the top 10 hottest destinations!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Reply | Threaded
Open this post in threaded view
|

Re: Verifying certificate was signed by a trusted Authority

Dr. Stephen Henson
On Tue, Mar 14, 2006, michael Dorrian wrote:

> Thanks for your reply. It makes sense that it does not trust any authority
> by default. I will try to research these functions a little more but it may
> be difficult to find a way to actually check that  it was signed by a
> trusted authority. Anyway i appreciate the help.
>

If I understand your query can do this quite simply using
SSL_CTX_get_cert_store() and calling X509_STORE_add_cert() on it for each
trusted CA.

You need to have the CAs in the form of an X509 structure but there are
several documented ways to do that include d2i_X509() and PEM_read_bio_X509().

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Verifying certificate was signed by a trusted Authority

michael Dorrian
First of all thank you for your reply.
I read one of your previous replies to the following post and this seems to be what i need.
X509_AUX is a "trusted certificate" format
"With PEM_read_bio_X509_AUX if the certificate is trusted then the extra data
will be included."
 
This returns an X509_AUX structure and i think its this auxilliary information that i need to decide whether the certificate is from a trusted authority or not. I don't know how to extract this information though. At the moment i get my X509 structure using SSL_get_peer_certificate(). I need to use this in order to get the server certificate. Then i extract the information held within this certificate using X509_NAME_print_ex() following your previous advice. How would i go about getting this extra information that i need.



"Dr. Stephen Henson" <[hidden email]> wrote:
On Tue, Mar 14, 2006, michael Dorrian wrote:

> Thanks for your reply. It makes sense that it does not trust any authority
> by default. I will try to research these functions a little more but it may
> be difficult to find a way to actually check that it was signed by a
> trusted authority. Anyway i appreciate the help.
>

If I understand your query can do this quite simply using
SSL_CTX_get_cert_store() and calling X509_STORE_add_cert() on it for each
trusted CA.

You need to have the CAs in the form of an X509 structure but there are
several documented ways to do that include d2i_X509() and PEM_read_bio_X509().

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! Mail
Use Photomail to share photos without annoying attachments.
Reply | Threaded
Open this post in threaded view
|

Re: Verifying certificate was signed by a trusted Authority

Dr. Stephen Henson
On Wed, Mar 15, 2006, michael Dorrian wrote:

> First of all thank you for your reply.  I read one of your previous replies
> to the following post and this seems to be what i need.
> http://www.mail-archive.com/openssl-users@.../msg20673.html X509_AUX
> is a "trusted certificate" format "With PEM_read_bio_X509_AUX if the
> certificate is trusted then the extra data will be included."
>    
>   This returns an X509_AUX structure and i think its this auxilliary
>   information that i need to decide whether the certificate is from a
>   trusted authority or not. I don't know how to extract this information
>   though. At the moment i get my X509 structure using
>   SSL_get_peer_certificate(). I need to use this in order to get the server
>   certificate. Then i extract the information held within this certificate
>   using X509_NAME_print_ex() following your previous advice. How would i go
>   about getting this extra information that i need.
>  

Not that isn't what you need. That is something else entirely. It is analagous
to the browser trust settings which restrict the purposes a CA can be used
for. By definition the CA has to be trusted before those are set.

Back to your original query. A browser doesn't do anything magic to determine
if a certifcate comes from a trusted CA. It contains a list of trusted root CAs
internally and checks against those. OpenSSL does the same thing except it
doesn't come with a pre-loaded set of trusted CAs you have to set them
yourself.

If you don't want to load them from a file you can use the SSL_CTX_get_store()
and X509_STORE_add_cert() as I indicated.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Verifying certificate was signed by a trusted Authority

michael Dorrian
So if what you are saying is true then i could call myself the same name as a trusted CA authority when making my root CA and the browser will think i am a trusted CA. Is that correct?.  It seems too simple to be true.....

"Dr. Stephen Henson" <[hidden email]> wrote:
On Wed, Mar 15, 2006, michael Dorrian wrote:

> First of all thank you for your reply. I read one of your previous replies
> to the following post and this seems to be what i need.
> http://www.mail-archive.com/[hidden email]/msg20673.html X509_AUX
> is a "trusted certificate" format "With PEM_read_bio_X509_AUX if the
> certificate is trusted then the extra data will be included."
>
> This returns an X509_AUX structure and i think its this auxilliary
> information that i need to decide whether the certificate is from a
> trusted authority or not. I don't know how to extract this information
> though. At the moment i get my X509 structure using
> SSL_get_peer_certificate(). I need to use this in order to get the server
> certificate. Then i extract the information held within this certificate
> using X509_NAME_print_ex() following your previous advice. How would i go
> about getting this extra information that i need.
>

Not that isn't what you need. That is something else entirely. It is analagous
to the browser trust settings which restrict the purposes a CA can be used
for. By definition the CA has to be trusted before those are set.

Back to your original query. A browser doesn't do anything magic to determine
if a certifcate comes from a trusted CA. It contains a list of trusted root CAs
internally and checks against those. OpenSSL does the same thing except it
doesn't come with a pre-loaded set of trusted CAs you have to set them
yourself.

If you don't want to load them from a file you can use the SSL_CTX_get_store()
and X509_STORE_add_cert() as I indicated.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Reply | Threaded
Open this post in threaded view
|

Re: Verifying certificate was signed by a trusted Authority

Jorey Bump
michael Dorrian wrote:
> So if what you are saying is true then i could call myself the same name
> as a trusted CA authority when making my root CA and the browser will
> think i am a trusted CA. Is that correct?.  It seems too simple to be
> true.....

1. If you forge a root CA certificate...
2. ...and install it in a user's browser...
3. ...and control the DNS to divert the browser...
4. ...to a forged web site running on an IP you control...

...then the browser probably won't complain. Trivial for a
well-positioned admin or support technician, but not exactly simple.
This technique could be used to harvest passwords, so a site should
think very carefully about the ramifications of installing root CA
certificates in browsers to support self-signed certificates.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Verifying certificate was signed by a trusted Authority

JoelKatz
In reply to this post by michael Dorrian


> So if what you are saying is true then i could call
> myself the same name as a trusted CA authority when
> making my root CA and the browser will think i am a
> trusted CA. Is that correct?.  It seems too simple to be true.....

        No. CAs are not identified by name but by key. That's the whole purpose of
a certificate -- to associate a name with a particular key.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Verifying certificate was signed by a trusted Authority

Kyle Hamilton
...except that it's not.

A later certificate (w/ different public key) with the same CN can
issue revocations against an earlier certificate with the same CN, per
X.509.  That's part of the problem with the entire X.509 model in the
first place.

On 3/15/06, David Schwartz <[hidden email]> wrote:

>
>
> > So if what you are saying is true then i could call
> > myself the same name as a trusted CA authority when
> > making my root CA and the browser will think i am a
> > trusted CA. Is that correct?.  It seems too simple to be true.....
>
>         No. CAs are not identified by name but by key. That's the whole purpose of
> a certificate -- to associate a name with a particular key.
>
>         DS
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Verifying certificate was signed by a trusted Authority

JoelKatz


> ...except that it's not.
>
> A later certificate (w/ different public key) with the same CN can
> issue revocations against an earlier certificate with the same CN, per
> X.509.  That's part of the problem with the entire X.509 model in the
> first place.

        Is this so without the newer certificate being explicitly selected as
trusted? That would be a serious flaw and it's hard for me to believe that
could be. Do you have a reference?

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Verifying certificate was signed by a trusted Authority

michael Dorrian
I think David may have a point here. On the client side you have a list of CA's you trust so therefore other CA's will not be accepted. It is a big problem that you can revoke other Certs with the same CN though.

David Schwartz <[hidden email]> wrote:


> ...except that it's not.
>
> A later certificate (w/ different public key) with the same CN can
> issue revocations against an earlier certificate with the same CN, per
> X.509. That's part of the problem with the entire X.509 model in the
> first place.

Is this so without the newer certificate being explicitly selected as
trusted? That would be a serious flaw and it's hard for me to believe that
could be. Do you have a reference?

DS


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! Mail
Use Photomail to share photos without annoying attachments.
Reply | Threaded
Open this post in threaded view
|

RE: Verifying certificate was signed by a trusted Authority

michael Dorrian
In reply to this post by JoelKatz
I think David may have a point here. On the client side you have a list of CA's you trust so therefore other CA's will not be accepted. It is a big problem that you can revoke other Certs with the same CN though.

David Schwartz <[hidden email]> wrote:


> ...except that it's not.
>
> A later certificate (w/ different public key) with the same CN can
> issue revocations against an earlier certificate with the same CN, per
> X.509. That's part of the problem with the entire X.509 model in the
> first place.

Is this so without the newer certificate being explicitly selected as
trusted? That would be a serious flaw and it's hard for me to believe that
could be. Do you have a reference?

DS


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Re: Verifying certificate was signed by a trusted Authority

Erwann ABALEA
In reply to this post by Kyle Hamilton
Hodie post. Id. Mar. MMVI est, Kyle Hamilton scripsit:
> ...except that it's not.
>
> A later certificate (w/ different public key) with the same CN can
> issue revocations against an earlier certificate with the same CN, per
> X.509.  That's part of the problem with the entire X.509 model in the
> first place.

There's no problem with the X.509 model.

You're right that a certificate signed by a CA can be revoked by
another CA which has the same exact DN (not CN). The reason is simple:
the X.509 standard states that a CA is designated by its name, not by
its certificate (or public key). That has 2 advantages:
 - a CA can have different keys for certificate signing and CRL
   signing,
 - a CA can be renewed without invalidating all the previous
   certificates, and still take them under its "control".

But what you're trying to say (that Mr Bad could create a certificate
with the same DN as a valid CA, and revoke certs emitted by this CA
without other intervention) is simply false. You *must* tell the
software to trust this certificate, there's no way for this to be
automatic (except in the SET scheme, but that's not the point here).

> On 3/15/06, David Schwartz <[hidden email]> wrote:
> >
> >
> > > So if what you are saying is true then i could call
> > > myself the same name as a trusted CA authority when
> > > making my root CA and the browser will think i am a
> > > trusted CA. Is that correct?.  It seems too simple to be true.....
> >
> >         No. CAs are not identified by name but by key. That's the whole purpose of
> > a certificate -- to associate a name with a particular key.

--
Erwann ABALEA <[hidden email]>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Re: Verifying certificate was signed by a trusted Authority

Kyle Hamilton
On 3/17/06, Erwann ABALEA <[hidden email]> wrote:

> Hodie post. Id. Mar. MMVI est, Kyle Hamilton scripsit:
>
> There's no problem with the X.509 model.
>
> You're right that a certificate signed by a CA can be revoked by
> another CA which has the same exact DN (not CN). The reason is simple:
> the X.509 standard states that a CA is designated by its name, not by
> its certificate (or public key). That has 2 advantages:
>  - a CA can have different keys for certificate signing and CRL
>    signing,

I believe X.509v3 created an explicit extension for a second
certificate with the same DN that the actual root certificate signed,
for CRL signing.  X.509 itself (X.509v1) didn't have 'extensions', as
can be seen with the original Verisign v1 root certificates.

>  - a CA can be renewed without invalidating all the previous
>    certificates, and still take them under its "control".

A CA can be renewed with rekey, specifically.  But as you point out,
there's no automatic way to get this to work -- though the
"identification by name" concept has a problem, as shown below...

> But what you're trying to say (that Mr Bad could create a certificate
> with the same DN as a valid CA, and revoke certs emitted by this CA
> without other intervention) is simply false. You *must* tell the
> software to trust this certificate, there's no way for this to be
> automatic (except in the SET scheme, but that's not the point here).

Actually, Thunderbird/NSS (which used the same cert store as Firefox
-- it may still, but this was back in the pre-1.0 days) got hit with a
DOS related to this, as I mentioned in a prior mail on this list a
month or so ago.  A new CA certificate with the same DN was sent out
in the certificate chain for an email, and it didn't match the current
one, so the user gets prompted, and (obviously) chooses not to accept
it.  This caused the 'new' CA certificate to be placed in the
"untrusted" store.

After that, anything presented to NSS that was signed by the real CA
in question (since it was identified by DN, not by DN,pubkeyhash
tuple) was then rejected, because the DN was first checked against the
untrusted store (explicit distrust) and then against the trusted store
(in this case, implicit trust from the builtin object token) before
any cryptographic operations took place.

Which is, again, a problem with the X.509 model.  X.509v3 is an
attempt to work around some of these functional issues, without fixing
all of them.

-Kyle H
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]