Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GoDaddy parent.verify(child) return false #105

Closed
yandrey opened this issue Mar 2, 2014 · 3 comments
Closed

GoDaddy parent.verify(child) return false #105

yandrey opened this issue Mar 2, 2014 · 3 comments

Comments

@yandrey
Copy link

yandrey commented Mar 2, 2014

Checking verify method of a certificate, I've took 2 first certificates from GoDaddy certificate chain. And parent.verify(child) method returns 'false'. Is that the correct behavior?

At the same time:
openssl verify -verbose ./parent.pem ./child.pem
./child.pem: OK
./parent.pem: ......... unable to get local issuer certificate (not important as this is only the second from the chain) ....

JS example:

var godaddyChildPem = '-----BEGIN CERTIFICATE-----\nMIIF0zCCBLugAwIBAgIHCBn+UG7MVDANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTMxMjA2MTczNzI0WhcNMTUxMjA2MTczNzI0WjCBzTETMBEGCysGAQQBgjc8AgEDEwJVUzEYMBYGCysGAQQBgjc8AgECEwdBcml6b25hMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEUMBIGA1UEBRMLUi0xNzI0NzMzLTYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRkwFwYDVQQKExBHb0RhZGR5LmNvbSwgTExDMRgwFgYDVQQDEw93d3cuZ29kYWRkeS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwmLv3UsOzzYcKwCkfsQ6MkfOVs4yhhv+tOlhZ8s1+6/pfw2ntDm3fL2WH1e9iPlX3aGNfm/wuwFFG2Ls7zXmsLaTobSU/Nd908sV46TuThbPEDZHUrnEO3ekUytrkIb2Z1FCYd2KFNEXVsGxWPGPYZtA88u9EF8TrKebLOi//XaAsrk2jc0dc6T1z5SzmlgGefEZnEk0KG2/m8A0VLpBUo2Jer+HlOBOD8N+V97YuMsWLf7JPIUu2As1ICWTMOt84lU0mRrzNHwgSfNVmMY5AwRsxeofhMqYbDvBPdb1sLSoExxhOL8uMbqQ+gTugFq9NI59DavT1GCLLeXetYcAzAgMBAAGjggG3MIIBszAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZHMzLTg3LmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcDMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wgYAGCCsGAQUFBwEBBHQwcjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEoGCCsGAQUFBzAChj5odHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RfaW50ZXJtZWRpYXRlLmNydDAfBgNVHSMEGDAWgBT9rGEyk2xF1uLuhV+auud2mWjM5zAnBgNVHREEIDAegg93d3cuZ29kYWRkeS5jb22CC2dvZGFkZHkuY29tMB0GA1UdDgQWBBQ/XfcwQFeonDYOq3GBwNrU07NX9DANBgkqhkiG9w0BAQUFAAOCAQEAsr+d8qGK+krV59amcSibrDOxsoMNC0BfrqztikxTYFlZTGUGcOZ70mHuZoXEVT/62DhOD3UKSo+hoLLZECRUmTyUmIuPU4xxrLpq+N+KQFUT70iOOdBO1UziJ5vuY550k4jvWqnqcJX0bHbiIyTWLMYZsXR++b+wA9tsP15WxiJqGaiMGbuObRemxsPL+zpUDRPGH/dcN5kehHgcqxjQZ6bs3qsbu+amszNBgeXqhO7tY1bzK9xmBvlTvfpUl/uLNUivacwrgvS7h7fQcfsP8U76BmeCTWztO+cx2VWMsc9pXXjnrnOFpjzqmgtDRwWlxCt8Pe7eFNXWNedY/orcKA==\n-----END CERTIFICATE-----';

var godaddyParentPem = '-----BEGIN CERTIFICATE-----\nMIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYwMTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTtwY6vj3D3HKrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqVTr9vcyOdQmVZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aLGbqGmu75RpRSgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo7RJlbmr2EkRTcDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgWJCJjPOq8lh8BJ6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAwEAAaOCATIwggEuMB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVHSMEGDAWgBTSxLDSkdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEAMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVHSAAMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBANKGwOy9+aG2Z+5mC6IGOgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPIUyIXvJxwqoJKSQ3kbTJSMUA2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL5CkKSkB2XIsKd83ASe8T+5o0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTXRE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuHqDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWVU+4=\n-----END CERTIFICATE-----';

var cert = forge.pki.certificateFromPem(godaddyChildPem);
var parent = forge.pki.certificateFromPem(godaddyParentPem);

var r = parent.verify(cert);

console.log('verify result = ' + r);
@dlongley
Copy link
Member

dlongley commented Mar 3, 2014

When I export the godaddy.com (child) certificate using chromium I get a different PEM than the one you've pasted (however, the parent is the same). I checked the certificate serial numbers and the child certificates match ... so I'm not sure why your PEM is different. However, my PEM is verified properly by forge (the same code above using the PEM below returns true for the result).

-----BEGIN CERTIFICATE-----
MIIF1jCCBL6gAwIBAgIHCBn+UG7MVDANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTMxMjA2MTczNzI0WhcNMTUxMjA2MTczNzI0WjCBzTETMBEGCysGAQQB
gjc8AgEDEwJVUzEYMBYGCysGAQQBgjc8AgECEwdBcml6b25hMR0wGwYDVQQPExRQ
cml2YXRlIE9yZ2FuaXphdGlvbjEUMBIGA1UEBRMLUi0xNzI0NzMzLTYxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRkw
FwYDVQQKExBHb0RhZGR5LmNvbSwgTExDMRgwFgYDVQQDEw93d3cuZ29kYWRkeS5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwmLv3UsOzzYcKwCkf
sQ6MkfOVs4yhhv+tOlhZ8s1+6/pfw2ntDm3fL2WH1e9iPlX3aGNfm/wuwFFG2Ls7
zXmsLaTobSU/Nd908sV46TuThbPEDZHUrnEO3ekUytrkIb2Z1FCYd2KFNEXVsGxW
PGPYZtA88u9EF8TrKebLOi//XaAsrk2jc0dc6T1z5SzmlgGefEZnEk0KG2/m8A0V
LpBUo2Jer+HlOBOD8N+V97YuMsWLf7JPIUu2As1ICWTMOt84lU0mRrzNHwgSfNVm
MY5AwRsxeofhMqYbDvBPdb1sLSoExxhOL8uMbqQ+gTugFq9NI59DavT1GCLLeXet
YcAzAgMBAAGjggG6MIIBtjAPBgNVHRMBAf8EBTADAQEAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwMwYDVR0fBCwwKjAooCag
JIYiaHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZHMzLTg3LmNybDBTBgNVHSAETDBK
MEgGC2CGSAGG/W0BBxcDMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wgYAGCCsGAQUFBwEBBHQwcjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEoGCCsGAQUFBzAChj5o
dHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RfaW50
ZXJtZWRpYXRlLmNydDAfBgNVHSMEGDAWgBT9rGEyk2xF1uLuhV+auud2mWjM5zAn
BgNVHREEIDAegg93d3cuZ29kYWRkeS5jb22CC2dvZGFkZHkuY29tMB0GA1UdDgQW
BBQ/XfcwQFeonDYOq3GBwNrU07NX9DANBgkqhkiG9w0BAQUFAAOCAQEAsr+d8qGK
+krV59amcSibrDOxsoMNC0BfrqztikxTYFlZTGUGcOZ70mHuZoXEVT/62DhOD3UK
So+hoLLZECRUmTyUmIuPU4xxrLpq+N+KQFUT70iOOdBO1UziJ5vuY550k4jvWqnq
cJX0bHbiIyTWLMYZsXR++b+wA9tsP15WxiJqGaiMGbuObRemxsPL+zpUDRPGH/dc
N5kehHgcqxjQZ6bs3qsbu+amszNBgeXqhO7tY1bzK9xmBvlTvfpUl/uLNUivacwr
gvS7h7fQcfsP8U76BmeCTWztO+cx2VWMsc9pXXjnrnOFpjzqmgtDRwWlxCt8Pe7e
FNXWNedY/orcKA==
-----END CERTIFICATE-----

@dlongley
Copy link
Member

dlongley commented Mar 3, 2014

I also tested with openssl. If you want to verify a certificate chain using openssl verify, you must pass the -CAfile option with the intermediate and CA files concatenated together:

openssl verify -verbose -CAfile intermediate-and-ca.pem child.pem

When you do this, the PEM you included above fails the test with a bad RSA signature. If you use the PEM I pasted above, it works. Forge produces the same result.

@yandrey
Copy link
Author

yandrey commented Mar 3, 2014

Indeed. This is not about the Forge.
Thanks.

@yandrey yandrey closed this as completed Mar 3, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants