question about certificate verify

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

question about certificate verify

forston_shi@trendmicro.com

Hi Openssl team,

I have a question about certificate verify.

 

We check a sub-certificate with a lot of root certificates.

We don’t want to check sub-certificate’s expire time, but we want to get an error when root certificate expired.

 

I try to verify it by following option,

  X509_VERIFY_PARAM* pm = X509_STORE_CTX_get0_param(xstore_ctx);

  X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_NO_CHECK_TIME);

 

  iret = X509_verify_cert(xstore_ctx); 

 

But it also will ignore root certificate’s expire.

 

So, can you give me some suggestion for my question.

 

Best regards

Forston Shi (RD-CN)

 

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: [ https://www.trendmicro.com/privacy]
Reply | Threaded
Open this post in threaded view
|

Re: question about certificate verify

Viktor Dukhovni
> On Aug 26, 2019, at 5:24 AM, [hidden email] wrote:
>
> We check a sub-certificate with a lot of root certificates.
> We don’t want to check sub-certificate’s expire time, but we want to get an error when root certificate expired.
>  
> I try to verify it by following option,
>   X509_VERIFY_PARAM* pm = X509_STORE_CTX_get0_param(xstore_ctx);
>   X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_NO_CHECK_TIME);
>  
>   iret = X509_verify_cert(xstore_ctx);
>  
> But it also will ignore root certificate’s expire.
>  
> So, can you give me some suggestion for my question.

To ignore expiration of only the leaf certificate, you
need a verification callback that checks the error
reason at depth 0 and if it is expiration, returns
"ok = 1" anyway.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: question about certificate verify

Blumenthal, Uri - 0553 - MITLL
Is there a potential problem - if a certificate has multiple issues, such as bad signature and certificate expired? Would all of these conditions be reported, or only the first one detected?

Regards,
Uri

Sent from my iPhone

On Aug 26, 2019, at 10:11, Viktor Dukhovni <[hidden email]> wrote:

>> On Aug 26, 2019, at 5:24 AM, [hidden email] wrote:
>>
>> We check a sub-certificate with a lot of root certificates.
>> We don’t want to check sub-certificate’s expire time, but we want to get an error when root certificate expired.
>>
>> I try to verify it by following option,
>>  X509_VERIFY_PARAM* pm = X509_STORE_CTX_get0_param(xstore_ctx);
>>  X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_NO_CHECK_TIME);
>>
>>  iret = X509_verify_cert(xstore_ctx);
>>
>> But it also will ignore root certificate’s expire.
>>
>> So, can you give me some suggestion for my question.
>
> To ignore expiration of only the leaf certificate, you
> need a verification callback that checks the error
> reason at depth 0 and if it is expiration, returns
> "ok = 1" anyway.
>
> --
>    Viktor.
>

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: question about certificate verify

Viktor Dukhovni
On Mon, Aug 26, 2019 at 02:39:40PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:

> > To ignore expiration of only the leaf certificate, you
> > need a verification callback that checks the error
> > reason at depth 0 and if it is expiration, returns
> > "ok = 1" anyway.
>
> Is there a potential problem - if a certificate has multiple issues, such
> as bad signature and certificate expired? Would all of these conditions
> be reported, or only the first one detected?

The verification callback is called separately for each error
condition (and at least once on success if no errors are seen).

It is therefore possible to ignore *just* the expiration of a
particular chain element without ignoring other errors.

--
        Viktor.