[gnutls-devel] A certificate is verified by Gnutls but rejected by OpenSSL/PolarSSL

[陈雨亭]

Hi, Nikos, I have tried it. I splitted file.pem into file0.pem and 
file1.pem.
I used openssl/polarssl to verify file0.pem against file1.pem, and they 
still
report error messages (unable to get issuer certificate/not signed by a
trusted CA).

I checked the modifications I have made: I tried to delete the "name" field
from the subject of file1.pem (I'm not so sure why I did it like this at 
that time. Does
a subject of an X509 certificate contain the field?). But it may cause some
problems and make the other two tools cannot find the issuer of file0.pem.



-----Original Message----- 
From: Nikos Mavrogiannopoulos
Sent: Thursday, April 02, 2015 2:07 PM
To: Yuting Chen
Cc: GnuTLS development list
Subject: Re: [gnutls-devel] A certificate is verified by Gnutls but rejected 
by OpenSSL/PolarSSL

On Thu, 2015-04-02 at 10:00 -0700, Yuting Chen wrote:


> (2) Openssl:
> 140637590406816:error:04091077:rsa routines:INT_RSA_VERIFY:wrong
> signature length:rsa_sign.c:175:
> 140637590406816:error:0D0C5006:asn1 encoding
> routines:ASN1_item_verify:EVP lib:a_verify.c:221:
> ZZZZZZZZZZZZZComodo_Secure_Services_root.pem: C = US, O = "VeriSign,
> Inc.", OU = Class 4 Public Primary Certification Authority - G2, OU =
> "(c) 1998 VeriSign, Inc. - For authorized use only", OU = VeriSign
> Trust Network
> error 7 at 0 depth lookup:certificate signature failure

In the file.pem you have 2 certificates (a chain), and the fa_rootCA is
another one. If you try openssl on each two of them (i.e., split the
file.pem) you'll get an OK. Are you sure that openssl verify can accept
a chain?

regards,
Nikos