"openssl verify" returning both error and "OK"?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

"openssl verify" returning both error and "OK"?

Martin Kraemer
When testing a certificate for its allowed purposes, I found:

$ for purpose in sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper
> do
>   echo -n ${purpose}:
>   openssl-0.9.8 verify -verbose -CAfile ca_chain.txt -purpose $purpose my.pem
> done
sslclient:my.pem: OK
sslserver:my.pem: OK
nssslserver:my.pem: OK
smimesign:my.pem: OK
smimeencrypt:my.pem: OK
crlsign:my.pem: /C=GB/O=Defer Test/OU=basic/CN=Martin Kraemer/emailAddress=[hidden email]
error 26 at 0 depth lookup:unsupported certificate purpose
OK
any:my.pem: OK
ocsphelper:my.pem: OK

For the case of the "crlsign" purpose, shouldn't openssl die with
a "non-OK" error, instead of printing an error, but finally "OK"?

  Martin
--
<[hidden email]>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: "openssl verify" returning both error and "OK"?

Dr. Stephen Henson
On Tue, Jul 05, 2005, Martin Kraemer wrote:

> When testing a certificate for its allowed purposes, I found:
>
> $ for purpose in sslclient sslserver nssslserver smimesign smimeencrypt crlsign any ocsphelper
> > do
> >   echo -n ${purpose}:
> >   openssl-0.9.8 verify -verbose -CAfile ca_chain.txt -purpose $purpose my.pem
> > done
> sslclient:my.pem: OK
> sslserver:my.pem: OK
> nssslserver:my.pem: OK
> smimesign:my.pem: OK
> smimeencrypt:my.pem: OK
> crlsign:my.pem: /C=GB/O=Defer Test/OU=basic/CN=Martin Kraemer/emailAddress=[hidden email]
> error 26 at 0 depth lookup:unsupported certificate purpose
> OK
> any:my.pem: OK
> ocsphelper:my.pem: OK
>
> For the case of the "crlsign" purpose, shouldn't openssl die with
> a "non-OK" error, instead of printing an error, but finally "OK"?
>

The 'verify' utility includes a callback which, after printing out the code
overrides all errors.

This is for debugging purposes so that all the errors a certficate chain would
produce can be printed out rather than halting on the first one.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]