[SSL Observatory] openssl patch: A way to display which root certificate in the browser a SSL certificate is rooted to

Walter Goulet wgoulet at gmail.com
Wed Jun 29 23:13:28 PDT 2011 

Hi,

My perusal of the observatory data is that the acerts and vcerts tables
include the issuing cert and a flag indicating whether or not the given SSL
cert is in the mozilla or microsoft trusted root repositories. But, the
issuing cert is usually just an intermediate cert unless a misbehaving root
CA is directly signing SSL certs. What I really want to know is which
particular root cert in the mozilla/microsoft root repositories is vouching
for a SSL cert.

Currently, this doesn't appear to be possible because the openssl verify
command at the heart of the observatory scripts doesn't print out which root
CA in it's CApath directory actually issued the cert. This patch modifies
the verify application so that when the 'verbose' flag is passed to the
verify command, the issuer of the self-signed certificate at the top of the
chain is printed. This patch applies to the latest 1.0.0d version of
OpenSSL. I feel pretty confident in this patch as I tested it against debug
printouts that I added to the raw X509_verify_cert function in x509_vfy.c

To really make this patch useful, additional fields would have to be added
to the acerts/vcerts tables to store the root issuing cert name and the
python scripts would have to be re-run. I'll probably work on that over the
next few days myself, but if anyone out there with a EC2 account that is
more handy with the data/scripts could probably apply this patch and make a
new snapshot of the data for us all to use.

And I really hope I didn't miss something obvious and this data is captured
somewhere else that I just plainly missed.

Thanks,
Walter

--- /home/wgoulet/Downloads/openssl-1.0.0d/apps/verify.c    2009-10-31
12:21:47.000000000 -0700
+++ verify.c    2011-06-29 22:47:33.127029311 -0700
@@ -257,6 +257,7 @@
     {
     X509 *x=NULL;
     int i=0,ret=0;
+    char buf[2048];
     X509_STORE_CTX *csc;

     x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
@@ -280,6 +281,11 @@
     if (crls)
         X509_STORE_CTX_set0_crls(csc, crls);
     i=X509_verify_cert(csc);
+    X509_NAME_oneline(X509_get_issuer_name(csc->current_issuer),buf,2048);
+    if(v_verbose)
+        {
+        fprintf(stdout,"Trusted certificate at top of chain: issuer=
%s\n",buf);
+        }
     X509_STORE_CTX_free(csc);

     ret=0;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110630/56a7cb3b/attachment.html>

More information about the Observatory mailing list