Hi Patrick,
Thank you for your kindly reply.
I will do more research and test based on your advice. Actually, I want to
know which rules openssl has done, which should i implement in callback
function.
1.We make sure the chain we are going to build is present and that the first
entry is in place.
2.Verify the depth
3.Check a certificate chains extensions for consistency with the
supplied purpose
4.Check the last certificate trust in the chain
5 Check revocation status: we do this after copying parameters because
they may be needed for CRL signature verification.
On 18/04/2008, Patrick Patterson <[EMAIL PROTECTED]> wrote:
>
> Hi Anri:
>
>
> Anri Lau wrote:
> > Hi All,
> >
> > Anyone know how many rules should be performed when build TLS
> connection?
> > I have some test case. The certificate time is not valid, validation
> failed.
> > But the certificate passed if the validity dates of the child
> certificate
> > are not contained within the validity
> > dates of the parent certificate.
> >
> > As i know, both of above are the standard rules of digital certificate.
> >
> > So, which rules will be performed in OpenSSL, when build the TLS
> connection.
> >
> >
>
> I believe that the above are what is performed, as well as, if you
> provide the appropriate information, CRL validation (and, I believe,
> OCSP can be added into the mix)...
>
> However, OpenSSL does not *YET* perform full RFC3280 compliant Path
> Validation and Discovery (checking for Name Constraints, Policy
> compliance and mapping, AIA Chasing, etc.) - for that you need to either
> do all of the implementation yourself, or use a tool like Pathfinder
> (http://www.carillon.ca/products/pathfinder.php) that performs all of
> this validation for you, and which ties into the OpenSSL certificate
> verification callback.
>
> Depending on the complexity of your trust environment (Pathfinder was
> written to handle just about every case, including complex Bridge PKI
> environments), you may not need that, and simply ensure that your code
> reads the CRL Distribution point information in the certificate, and
> either fetches the CRL, or uses a cached, but still valid copy of the
> CRL, as then rely on the reasonably complete (for a simple trust
> environment) implementation that is currently in part of the stock
> certificate verification callback.
>
> Have fun.
>
> --
>
> Patrick Patterson
> Chief PKI Architect
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Best regards to you and your family
