search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.7k stars 275 forks source link

Verify status certificate #272

Closed jgrateron closed 3 years ago

kaikramer commented 2 years ago

@jgrateron I am preparing the release of KSE 5.5.0 and think I have found a bug in the certificate validation feature:

I have a keystore "signer.p12" with three key pair entries. One self-signed "CA" and two end-entity certificates that were issued by the CA.

grafik

If I click on one of the EE certificates and select verify, then "only verify chain" and select the .p12 file as the CA keystore like this: grafik

Then the result is negative: grafik

I have found out so far that in VerifyCertificateAction in line 346 the truststore size is 0, but I don't know why. if (trustStore.size() == 0) {

Could you take a look into this issue?

jgrateron commented 2 years ago

Hello, can you please share the file signer.p12, I did tests and it worked correctly thanks.

The only important restriction is that the CA must have this extension.

image

kaikramer commented 2 years ago

Ah, you're right, that is indeed the problem... No basic constraints extension. Thanks!