Certificate chain with intermediate cert not verified correctly #303
Labels
Comments
|
@klanchman I believe you're right - I've faced the same problem, and as far as I understand the solution should be the one you pointed out - split out leaf and rest of the chain and invoke |
|
Thanks for opening a PR to fix this! I didn't get around to it when I opened the issue and eventually forgot entirely 😞 |
|
I think this is fixed now. |
|
Just curious, if there is an ETA on when this fix will get published? |
|
release of v1.14.5 is done via 7afa182! Thank you for your contribution and bug report! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to verify a certificate chain with a root CA cert, an intermediate, and a leaf. The leaf and intermediate are given to me in a payload I need to verify; the root cert is one that I know and trust ahead of time.
Based on API Documentation
Based on the API documentation & source code, I'd expect to be able to do this:
However, the result of this is always
false, even if the chain is valid.Based on Tests
The tests imply I should do this instead:
However, there are two issues with this:
You can verify the behavior described in number 2 by passing an expired or otherwise invalid leaf cert. You'd expect the chain to come back as invalid, but it comes back as valid. (You can also omit the intermediate cert from the CA cert array and see the same result.)
Possible Solution
I think the ultimate issue is the
opensslcommand being executed. To verify a chain of certs containing intermediate cert(s), I think the command needs to take this form:where
rootCert.pemhas any trusted root certs,intermediateCerts.pemcontains all untrusted intermediate certs, andleafCert.pemis the single leaf you want to verify.When I use this form, invalid leaf certs are correctly rejected, and I am no longer implicitly trusting the intermediate cert(s).
The text was updated successfully, but these errors were encountered: