[gnutls-devel] A certificate is verified by Gnutls but rejected by OpenSSL/PolarSSL

[Yuting Chen]

Another very different example: when I verify file5.pem (the attached file)
against fa_rootCA_key_cert.pem, gnutls cannot find the issuer of the cert
in file5.pem, but openssl/polarssl can find the issuer and accept it. It is
a little tricky to find the issuer by comparing the "issuer" field of one
certificate with the "subject" field of the ca certificate.

On Thu, Apr 2, 2015 at 2:07 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>
wrote:

> On Thu, 2015-04-02 at 10:00 -0700, Yuting Chen wrote:
>
>
> > (2) Openssl:
> > 140637590406816:error:04091077:rsa routines:INT_RSA_VERIFY:wrong
> > signature length:rsa_sign.c:175:
> > 140637590406816:error:0D0C5006:asn1 encoding
> > routines:ASN1_item_verify:EVP lib:a_verify.c:221:
> > ZZZZZZZZZZZZZComodo_Secure_Services_root.pem: C = US, O = "VeriSign,
> > Inc.", OU = Class 4 Public Primary Certification Authority - G2, OU =
> > "(c) 1998 VeriSign, Inc. - For authorized use only", OU = VeriSign
> > Trust Network
> > error 7 at 0 depth lookup:certificate signature failure
>
> In the file.pem you have 2 certificates (a chain), and the fa_rootCA is
> another one. If you try openssl on each two of them (i.e., split the
> file.pem) you'll get an OK. Are you sure that openssl verify can accept
> a chain?
>
> regards,
> Nikos
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150402/589d02dd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file5.pem
Type: application/x-x509-ca-cert
Size: 1696 bytes
Desc: not available
URL: </pipermail/attachments/20150402/589d02dd/attachment.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fa_rootCA_key_cert.pem
Type: application/x-x509-ca-cert
Size: 1815 bytes
Desc: not available
URL: </pipermail/attachments/20150402/589d02dd/attachment-0001.crt>