Categories:
Android (13)
Apple Mac (27)
DH Keys (39)
DSA Keys (70)
EC Keys (976)
Firefox (30)
General (10)
Google Chrome (25)
Intermediate CA (152)
Java VM (29)
JDK Keytool (28)
Microsoft CertUtil (29)
Microsoft Edge (9)
Mozilla CertUtil (21)
OpenSSL (236)
Other (7)
Portecle (38)
Publishers (3313)
Revoked Certificates (16)
Root CA (85)
RSA Keys (2662)
Tools (46)
Tutorial (1)
What Is (22)
Windows (127)
Collections:
Other Resources:
OpenSSL Not Validate Signature in Self-Signed Certificate
Does OpenSSL "verify" command really validate the digital signature in a self-signed certificate?
✍: FYIcenter.com
No, OpenSSL "verify" command does not validate the digital signature
in a self-signed certificate.
In the following test, a CSR with an RSA public key was "self-signed" by the OpenSSL "req -x509" command with a DSA private key:
C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> x509 -in rsa_dsa_test.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: f6:7d:11:23:20:b6:f1:77 Signature Algorithm: dsa_with_SHA256 Issuer: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc Validity Not Before: Aug 21 13:02:46 2016 GMT Not After : Sep 20 13:02:46 2016 GMT Subject: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) Modulus: 00:f6:d5:d3:79:87:8d:9d:83:49:6f:fb:08:67:08: fb:0f:ab:b4:7f:51:55:7b:49:fa:e3:47:8e:6e:22: d7:ba:ad:dc:10:56:e9:b3:42:f7:25:20:9d:a5:e3: 5f:5e:7c:95:cb:5a:22:f3:8f:3d:e1:b2:0a:fa:15: c5:16:64:17:03 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB X509v3 Authority Key Identifier: keyid:99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB X509v3 Basic Constraints: CA:TRUE Signature Algorithm: dsa_with_SHA256 r: 1c:c1:8c:6a:0f:79:b6:68:33:ec:59:30:aa:e9:f1: 19:03:5a:c0:1f s: 00:91:d5:16:e3:8c:8f:71:57:0c:c8:e1:69:04:4a: d1:a5:62:b8:29:91 OpenSSL> verify -CAfile rsa_dsa_test.crt rsa_dsa_test.crt rsa_dsa_test.crt: OK OpenSSL> verify -trusted rsa_dsa_test.crt rsa_dsa_test.crt rsa_dsa_test.crt: OK
As you can see from the output, both "verify -CAfile" and "verify -trusted" commands passed the validation of the given "self-signed" certificate. Apparently, OpenSSL did not verify the signature with the public key in the certificate. If it did, validation would fail. The public key will never verify the signature, since the public key is using RSA algorithm and the signature is using DSA algorithm.
It looks like OpenSSL only checks to see if the "subject" matches "issuer" or not in the case of self-signed certificate validation.
⇒ OpenSSL "req -config" - Using Configuration File
2016-11-03, 1748👍, 0💬
Popular Posts:
Certificate summary - Owner: *.smzdm.com, Operations Department, "Beijing Zhidemai Information Techn...
What is ASN.1 OCTET STRING field type? How to specify OCTET STRING field type in OpenSSL "asn1parse"...
How to find the OCSP server URL of certificate's CA? I want to check the status of a certificate usi...
Certificate Summary: Subject: *.mail.yahoo.com Issuer: DigiCert High Assurance CA-3 Expiration: 2014...
What are distinguished names on certificates? I see "CN=..." on in many certificates. Distinguished ...