Validate certificate chain in PKCS#7 format









up vote
2
down vote

favorite












I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).



In openssl, there's the following API : 



int PKCS7_verify(PKCS7 *p7, 
 STACK_OF(X509) *certs, 
 X509_STORE *store, 
 BIO *indata, 
 BIO *out, 
 int flags);


However, I don't have a trusted certificate store.



I have a separate function that validate the integrity of the root certificate and that's enough for me.



Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?



thanks






openssl x509 pkcs#7 asn1







share|improve this question























  • Note X509_cert_verify which PKCS7_verify calls (unless you set PKCS7_NOVERIFY as Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
    – dave_thompson_085
    Nov 10 at 1:56














up vote
2
down vote

favorite












I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).



In openssl, there's the following API : 



int PKCS7_verify(PKCS7 *p7, 
 STACK_OF(X509) *certs, 
 X509_STORE *store, 
 BIO *indata, 
 BIO *out, 
 int flags);


However, I don't have a trusted certificate store.



I have a separate function that validate the integrity of the root certificate and that's enough for me.



Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?



thanks






openssl x509 pkcs#7 asn1







share|improve this question























  • Note X509_cert_verify which PKCS7_verify calls (unless you set PKCS7_NOVERIFY as Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
    – dave_thompson_085
    Nov 10 at 1:56












up vote
2
down vote

favorite









up vote
2
down vote

favorite











I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).



In openssl, there's the following API : 



int PKCS7_verify(PKCS7 *p7, 
 STACK_OF(X509) *certs, 
 X509_STORE *store, 
 BIO *indata, 
 BIO *out, 
 int flags);


However, I don't have a trusted certificate store.



I have a separate function that validate the integrity of the root certificate and that's enough for me.



Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?



thanks






openssl x509 pkcs#7 asn1







share|improve this question















I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).



In openssl, there's the following API : 



int PKCS7_verify(PKCS7 *p7, 
 STACK_OF(X509) *certs, 
 X509_STORE *store, 
 BIO *indata, 
 BIO *out, 
 int flags);


However, I don't have a trusted certificate store.



I have a separate function that validate the integrity of the root certificate and that's enough for me.



Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?



thanks






openssl x509 pkcs#7 asn1




openssl x509 pkcs#7 asn1






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 7 at 23:01

























asked Nov 7 at 15:57









Zohar81

2,0621732




2,0621732











  • Note X509_cert_verify which PKCS7_verify calls (unless you set PKCS7_NOVERIFY as Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
    – dave_thompson_085
    Nov 10 at 1:56
















  • Note X509_cert_verify which PKCS7_verify calls (unless you set PKCS7_NOVERIFY as Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
    – dave_thompson_085
    Nov 10 at 1:56















Note X509_cert_verify which PKCS7_verify calls (unless you set PKCS7_NOVERIFY as Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
– dave_thompson_085
Nov 10 at 1:56




Note X509_cert_verify which PKCS7_verify calls (unless you set PKCS7_NOVERIFY as Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
– dave_thompson_085
Nov 10 at 1:56












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted











The question is why do I need the store in order to verify that the chain is properly signed ?




You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.




However, I don't have a trusted certficate store.




From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".



In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.






share|improve this answer






















  • Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
    – Zohar81
    Nov 7 at 22:56











  • In order to get the OpenSSL PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.
    – Reinier Torenbeek
    Nov 7 at 23:01











  • Thanks, you've confirmed my theory.
    – Zohar81
    Nov 7 at 23:04










  • My pleasure. However, the best way to get confirmation is to create a set of tests :-)
    – Reinier Torenbeek
    Nov 7 at 23:07










  • Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp : 140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks
    – Zohar81
    Nov 9 at 23:07










Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53193110%2fvalidate-certificate-chain-in-pkcs7-format%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted











The question is why do I need the store in order to verify that the chain is properly signed ?




You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.




However, I don't have a trusted certficate store.




From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".



In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.






share|improve this answer






















  • Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
    – Zohar81
    Nov 7 at 22:56











  • In order to get the OpenSSL PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.
    – Reinier Torenbeek
    Nov 7 at 23:01











  • Thanks, you've confirmed my theory.
    – Zohar81
    Nov 7 at 23:04










  • My pleasure. However, the best way to get confirmation is to create a set of tests :-)
    – Reinier Torenbeek
    Nov 7 at 23:07










  • Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp : 140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks
    – Zohar81
    Nov 9 at 23:07














up vote
1
down vote



accepted











The question is why do I need the store in order to verify that the chain is properly signed ?




You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.




However, I don't have a trusted certficate store.




From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".



In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.






share|improve this answer






















  • Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
    – Zohar81
    Nov 7 at 22:56











  • In order to get the OpenSSL PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.
    – Reinier Torenbeek
    Nov 7 at 23:01











  • Thanks, you've confirmed my theory.
    – Zohar81
    Nov 7 at 23:04










  • My pleasure. However, the best way to get confirmation is to create a set of tests :-)
    – Reinier Torenbeek
    Nov 7 at 23:07










  • Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp : 140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks
    – Zohar81
    Nov 9 at 23:07












up vote
1
down vote



accepted







up vote
1
down vote



accepted







The question is why do I need the store in order to verify that the chain is properly signed ?




You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.




However, I don't have a trusted certficate store.




From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".



In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.






share|improve this answer















The question is why do I need the store in order to verify that the chain is properly signed ?




You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.




However, I don't have a trusted certficate store.




From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".



In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 10 at 1:39

























answered Nov 7 at 22:40









Reinier Torenbeek

9,03222846




9,03222846











  • Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
    – Zohar81
    Nov 7 at 22:56











  • In order to get the OpenSSL PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.
    – Reinier Torenbeek
    Nov 7 at 23:01











  • Thanks, you've confirmed my theory.
    – Zohar81
    Nov 7 at 23:04










  • My pleasure. However, the best way to get confirmation is to create a set of tests :-)
    – Reinier Torenbeek
    Nov 7 at 23:07










  • Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp : 140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks
    – Zohar81
    Nov 9 at 23:07
















  • Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
    – Zohar81
    Nov 7 at 22:56











  • In order to get the OpenSSL PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.
    – Reinier Torenbeek
    Nov 7 at 23:01











  • Thanks, you've confirmed my theory.
    – Zohar81
    Nov 7 at 23:04










  • My pleasure. However, the best way to get confirmation is to create a set of tests :-)
    – Reinier Torenbeek
    Nov 7 at 23:07










  • Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp : 140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks
    – Zohar81
    Nov 9 at 23:07















Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56





Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56













In order to get the OpenSSL PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.
– Reinier Torenbeek
Nov 7 at 23:01





In order to get the OpenSSL PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.
– Reinier Torenbeek
Nov 7 at 23:01













Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04




Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04












My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07




My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07












Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp : 140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks
– Zohar81
Nov 9 at 23:07




Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp : 140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks
– Zohar81
Nov 9 at 23:07

















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53193110%2fvalidate-certificate-chain-in-pkcs7-format%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to how show current date and time by default on contact form 7 in WordPress without taking input from user in datetimepicker

Image
0 I have a "Ask for demo" form which has two options, 1. Contact me now and 2. Schedule a demo. If user selects option 1 then current date and time should by displayed on form and if he selects option 2 then A calendar is shown for taking user input. My problem is getting current date and time by default on form. Please help. TIA contact-form-7 share | improve this question asked Nov 12 '18 at 9:01 abhi25 abhi25 14 5 add a comment  |  0 I have a "Ask for demo" form which has two options, 1. Contact me now and 2. Schedule a demo. If user selects option 1 then current date and time should by displayed on form and if he selects option 2 then A calendar is shown for taking user input. My problem is getting current date and time by default on form. Please help. TIA contact-form-7 share | improve this question asked Nov 12 '18 at 9:01 abhi25 abhi25 14 5 add a commen
Read more

Syphilis

Image
Klassifikation nach ICD-10 A50 Syphilis connata A51 Frühsyphilis A52 Spätsyphilis A53 Sonstige und nicht näher bezeichnete Syphilis ICD-10 online (WHO-Version 2019) Syphilis , [1] auch Lues (venerea) , harter Schanker oder Franzosenkrankheit (maladie française) genannt, ist eine chronische Infektionskrankheit, die zur Gruppe der sexuell übertragbaren Erkrankungen gehört. Der Erreger der Syphilis ist das Bakterium Treponema pallidum ssp. pallidum . Die Syphilis wird hauptsächlich bei sexuellen Handlungen durch Schleimhautkontakt und ausschließlich von Mensch zu Mensch übertragen. Während der Schwangerschaft und bei der Geburt kann eine erkrankte Mutter ihr Kind infizieren ( Syphilis connata ). Das Erscheinungsbild der Krankheit ist vielfältig. Typisch ist ein Beginn mit schmerzlosen Schleimhautgeschwüren und Lymphknotenschwellungen. Bei einem Teil der Infizierten kommt es zu einem chronischen Verlauf, der durch vielfältigen Haut- und Organbefall gekennzeichnet ist. Im Endstadium kom
Read more

Darth Vader #20

Image
Wiki Characters Creators Teams Volumes Issues Publishers Locations Concepts Things Story Arcs Movies Series Episodes New Comics Forums Gen. Discussion Bug Reporting Delete/Combine Pages Artist Show-Off Off-Topic Contests Battles Fan-Fic RPG Comic Book Preview API Developers Editing & Tools Podcast Quests Community Top Users Activity Feed User Lists Community Promos Archives News Reviews Videos Podcasts Previews Login / Sign Up All Wiki     Arcs     Characters     Companies     Concepts     Issues     Locations     Movies     People     Teams     Things     Volumes     Series     Episodes Editorial     Videos     Articles     Reviews     Features Community     Users Wiki Characters Creators Teams Volumes Issues Publishers Locations Concepts Things Story Arcs Movies Series Episodes New Comics Forums Gen. Discussion Bug Reporting Delete/Combine Pages Artist Show-Off Off-Topic Contests Battles Fan-Fic RPG Comic Book Preview API Developers Editing & Tools Podcast Quests Com
Read more