[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] ChainVerifier and VeriSign

To work around the problem you could subclass the ChainVerifier class and
override the verifyChain() method to the following:

public boolean verifyChain(X509Certificate[] certs, SSLTransport transport)
 if( certs == null ) {
   return super.verifyChain(certs, transport);
 // "cross certificate handling"
 if( trustedCerts.size() != 0 ) {
  for( int i=0; i<certs.length; i++ ) {
   X509Certificate newCert =
   if( newCert != null ) {
    certs[i] = newCert;
 return super.verifyChain(certs, transport);

It replaces certificates in a chain to be verified with trusted certificates
that have the same subject (if available). This is a very elementary and
limited form of handling cross certificates. Now, if you add the new
Verisign root as a trusted certificate the chain will be verified ok whether
the old or the new certificate is sent by a server.

This change works as long as all certificates have unique subjects (which
they should have). It does not create a security problem because
modifications to the public key of the CA certificate would be detected when
verifying the signature of the subordinate certificate causing the chain to
be rejected.


 Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.at

----- Original Message -----
From: "Marten Larsson-Trolin" <marten@mail.ru>
To: <iaik-ssl@iaik.at>
Sent: Thursday, December 28, 2000 6:00 PM
Subject: [iaik-ssl] ChainVerifier and VeriSign

> I have a problem when using the ChainVerifier and VeriSign root
certificates. The VeriSign root certificate expired Dec 31 1999, but is
still being used to sign server certificates. Meanwhile, VeriSign has issued
a new root certificate, but it has the same Principal field as the old one.
> The ChainVerifier (iaik.security.ssl.ChainVerifier) keeps a hashtable
which maps Principal to certificates. Since both VeriSign root certificates
have the same Principal, only one of them can be in the ChainVerfier's list
of trusted certificates.
> Since the old one is still being used, but I guess the intention is to
start using the new one, I would like to have both these root certificates
as trusted. Is there a nice way to accomplish this, or maybe I am missing
something obvious here?