Openssl appears to ignore the 'critical' aspect
of "extended key usage" attributes of x509 certificates.
Unless an extension is marked as "critical" it is only
advisory (RFC 2459). However, the x509 'check_purpose'
routines apper to treat all these usage fields as critical
and reject a certificate if the purposes mismatch -
even though the purpose is only advisory.
In particular, in x509v3_cache_extensions, at about line 300
of v3_purp.c, you ignore the 'crit' parameter of X509_get_ext_d2i.
I would like to occasionally use our server certificates to
authenticate as a client, and according to RFC 2459 I should
be able to do so. That part of the cert, from Thawte,
looks like:
X509v3 Extended Key Usage:
TLS Web Server Authentication
It has no critical flag.
By including a check for the 'critical' flag in the call
to X509_get_ext_d2i I can ignore those usage fields that
are advisory only, and can in turn use my server certificate
to authenticate as a client.
Am I reading RFC 2459 correctly?
Is my analysis of that part of the code correct?
Is there another reason openssl acts the way it does?
Jim Fox
University of Washington
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
