Re: proxy certificate support in openssl 0.9.8

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Tue, 15 Mar 2005 14:36:57 -0800, Matt 
Rodriguez <[EMAIL PROTECTED]> said:

MKRodriguez> I've looking at the tests in the snapshots for 0.9.8. I
MKRodriguez> am trying to figure out what functionality regarding
MKRodriguez> proxy certificates has been implemented.

Most importantly:

 - verification, as a change in the functions used by
   X509_verify_cert()
 - parsing of proxy certificate extensions in a configuration file.
 - implementation of internal ASN.1 structures for
   ProxyCertInfoExtensions and ProxyPolicy.

MKRodriguez> Here are 2 things that I am looking for:
MKRodriguez> 
MKRodriguez> 1) I need to be able to do a handshake using proxy
MKRodriguez>    certificates for client and server authentication.

If you don't care about the rights assigned with the policy
extensions, you can do it by just setting the certificate to use and
the whole chain properly.  A "catch" is the the whole chain, CA root
cert, CA intermediate certs, EE cert and intermediate proxy certs are
view as the issuing chain, and should be part of whatever you use as
your CA certificate bundle.

If you need to care about the proxy policy rights and you're using
SSL, you should read docs/HOWTO/proxy_certificates.txt, which explains
how you should set up SSL verification callbacks to do that properly,
with an example and all.

MKRodriguez> 2) I need to be able to verify a proxy certificate, given
MKRodriguez>    the certificate and certificate chain.

X509_verify_cert()

MKRodriguez> It looks like the testsslproxy does the tests the first
MKRodriguez> requirement, but not the second.

Maybe I misunderstand you, but I'm quite sure it does both.

MKRodriguez> Does anybody know if the functionality I want has been
MKRodriguez> implemented? What function calls will I have to make
MKRodriguez> to do this, or what files should I be looking in?

I know, since I implemented the stuff.  I hope what I said above is
satisfactory.  If not, I'm up for talking about it.  Maybe I need to
document yet a bit better?

Cheers,
Richard

-- 
Richard Levitte                         [EMAIL PROTECTED]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]