x509 v1 certificate

ARIGA Seiji ariga at os.rim.or.jp
Sun Sep 17 04:44:38 CEST 2006 

hi, all.
i'm using gpgsm 1.9.20, libgpg-error 1.3, libksba 1.0.0, libgcrypt 1.2.2_1.

does gpgsm (or libksba) support x509 v1 certificate ?

if not, i want it to be supported very much because there are many
certs having VeriSign's v1 cert as their root cert.

// ARIGA Seiji




[background]

when i tried to verify email, gpgsm says,

----
>gpgsm --verify email.sig email
gpgsm: Signature made 2006-08-28 22:00:38 using certificate ID 30BFD581
gpgsm: invalid certification chain: No value
----

so, i tried debug option as follows,

----
>gpgsm --verify email.sig email --debug-no-chain-validation 
gpgsm: Signature made 2006-08-28 22:00:38 using certificate ID 30BFD581
gpgsm: WARNING: bypassing certificate chain validation
gpgsm: Good signature from "/CN=SUMITOMO MITSUI BANKING CORPORATION/OU=Class 3 Organizational E-Mail Certificate/OU=Terms of use at https:\x2f\x2fwww.verisign.com\x2frpa (c)05/OU=Mass Retail Dept.,Consumer Banking Unit/O=SUMITOMO MITSUI BANKING CORPORATION/L=Chiyoda-ku/ST=Tokyo/C=JP/EMail=SMBC_service at dn.smbc.co.jp"
gpgsm:                 aka "SMBC_service at dn.smbc.co.jp"
----

then, i though the signature itself is correct but there are something
wrong in the chained certificates. after looking through the code for
a while, i came to think gpgsm/libksba doesn't support x509 v1 cert
which doesn't have x509 extensions (and that's what "No value" says).


here is excerpt from "openssl pkcs7 -inform der -in email.sig -text
-print_certs".

----
Version: 3 (0x2)
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Organizational CA
Subject: C=JP, ST=Tokyo, L=Chiyoda-ku, O=SUMITOMO MITSUI BANKING CORPORATION, OU=Mass Retail Dept.,Consumer Banking Unit, OU=Terms of use at https://www.verisign.com/rpa (c)05, OU=Class 3 Organizational E-Mail Certificate, CN=SUMITOMO MITSUI BANKING CORPORATION/emailAddress=SMBC_service at dn.smbc.co.jp
X509v3 extensions:
  X509v3 Basic Constraints: 
    CA:FALSE
  X509v3 Key Usage: 
    Digital Signature, Key Encipherment
----
Version: 3 (0x2)
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Organizational CA
X509v3 extensions:
  X509v3 Basic Constraints: critical
    CA:TRUE, pathlen:0
  X509v3 Key Usage: 
    Certificate Sign, CRL Sign
----
Version: 1 (0x0)
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
----

More information about the Gnupg-devel mailing list