Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

verification of certificate chain

35 views
Skip to first unread message

user371

unread,
Apr 4, 2017, 4:26:53 PM4/4/17
to
Hey everyone,
I am trying to write a code which receives a pcap file as an input and returns invaid certificates from it.
I have parsed certificate chains, and i'm trying to verify them.
Because I get the certificates chains out of a pcap the chain length are not constant (sometimes they includes only 1 certificate that is selfsigned (and valid)).
Let cert0.pem be the servers certificate and certk.pem the root CAs certificate.
According to my research online I'm trying to verify the certificate as follows:
1. Create a file certs.pem whitch contains the certificate chain in the order: certk.pem, certk-1.pem,... cert0.pem
2. use the command (ca.pem is a file containing root certificates):
openssl verify -CAfile ca.pem certs.pem

But sometimes the verification goes wrong even for valid certificates, as in the following output:

C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
error 20 at 0 depth lookup: unable to get local issuer certificate
error certs.pem: verification failed

please help me, how can I verify the certificate chain ?
Additionally is there a way to add a host name verification in the same line? (I have tried to add "-verify_hostname name" but again, the output was unexcpected).
Thank you !!

Wesley Bunton

unread,
Apr 24, 2017, 9:53:56 AM4/24/17
to
Hi! I've done something a bit similar to this, although not with pcap files.

In the past, I've worked with a situation where I receive in my Java code, a certificate chain, which ends up being either a single cert, or 2, 3, etc.

For my instance, I would get the proper order of certs, so I could always know that chain[0] was the end user cert, then based on the length of the chain, I could guess the others:

If length was 2, then chain[1] was CA.
If length was 3, then chain [1] is intermediary-CA, chain[2] is root-CA.

I understand that you may not be getting the certs in the proper order, and therefore I think (at least based on Java data types), you could use:
X509Certificate.verify(X509Certificate.getPublicKey)

So basically, you'd have to figure out some fancy logic to say:
I have 3 certs, lets take the first one, and do verify using the other two's public key. If one of those verifies it, then you can begin some sorting logic, knowing that the successful verifier is above it within the proper chain order.

I hope that makes sense. Also, I stuck with Java references, since that's where I was working on this similar task, but you didn't mention what type of language/environment you're using.

Robert Rodriguez

unread,
Jul 19, 2023, 7:29:56 AM7/19/23
to
If you notice that your garage door springs seem to be damaged https://garagedoorrepairmidlothianva.com/garage-door-replacement, then it’s time for a Garage Door Spring Repair Service by Integrity Garage Door Repair.
0 new messages