In message <[EMAIL PROTECTED]> on Tue, 22 Mar 2005 15:14:11 -0800, Matthew
Rodriguez DSD staff <[EMAIL PROTECTED]> said:
MKRodriguez> Specifically else if condition was true.
MKRodriguez> ku_reject(issuer, KU_KEY_CERT_SIGN)
MKRodriguez> I think this means that my EE cert is not allowed to sign
MKRodriguez> for other certs. Is that correct?
MKRodriguez>
MKRodriguez> if(subject->ex_flags & EXFLAG_PROXY)
MKRodriguez> {
MKRodriguez> if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
MKRodriguez> return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
MKRodriguez> }
MKRodriguez> else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
MKRodriguez> return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
Nope. As you can see, if the subject certificate is a proxy
certificate (the flag EXFLAG_PROXY is set), it will reject if the key
usage doesn't contain digitalSignature. However, according to what
you've said, your EE certificate does have that set.
If you actually get to the ku_reject(issuer, KU_KEY_CERT_SIGN), it
means your proxy certificate hasn't been identified as a proxy
certificate. The ONLY condition to get that flag set is that the
proxy certificate contains a proxyCertInfo extension, which
effectively identifies it as a proxy certificate.
Can you send me your proxy certificate and EE certificate? NOT THE
KEYS, please.
Cheers,
Richard
-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
