Hi Patrick,
Thank you for your kindly reply.
I will do more research and test based on your advice. Actually, I want to
know which rules openssl has done, which should i implement in callback
function.
The following are the rules implemented by openssl collected from source
code.
1.We make sure the chain we are going to build is present and that the
first entry is in place.
2.Verify the depth
3.Check a certificate chains extensions for consistency with the
supplied purpose
4.Check the last certificate trust in the chain
5 Check revocation status: we do this after copying parameters because
they may be needed for CRL signature verification.
Are these enough? Do you have more supplementary information?
On 18/04/2008, Patrick Patterson <[EMAIL PROTECTED]> wrote:
>
> Hi Anri:
>
>
> Anri Lau wrote:
> > Hi All,
> >
> > Anyone know how many rules should be performed when build TLS
> connection?
> > I have some test case. The certificate time is not valid, validation
> failed.
> > But the certificate passed if the validity dates of the child
> certificate
> > are not contained within the validity
> > dates of the parent certificate.
> >
> > As i know, both of above are the standard rules of digital certificate.
> >
> > So, which rules will be performed in OpenSSL, when build the TLS
> connection.
> >
> >
>
> I believe that the above are what is performed, as well as, if you
> provide the appropriate information, CRL validation (and, I believe,
> OCSP can be added into the mix)...
>
> However, OpenSSL does not *YET* perform full RFC3280 compliant Path
> Validation and Discovery (checking for Name Constraints, Policy
> compliance and mapping, AIA Chasing, etc.) - for that you need to either
> do all of the implementation yourself, or use a tool like Pathfinder
> (http://www.carillon.ca/products/pathfinder.php) that performs all of
> this validation for you, and which ties into the OpenSSL certificate
> verification callback.
>
> Depending on the complexity of your trust environment (Pathfinder was
> written to handle just about every case, including complex Bridge PKI
> environments), you may not need that, and simply ensure that your code
> reads the CRL Distribution point information in the certificate, and
> either fetches the CRL, or uses a cached, but still valid copy of the
> CRL, as then rely on the reasonably complete (for a simple trust
> environment) implementation that is currently in part of the stock
> certificate verification callback.
>
> Have fun.
>
> --
>
> Patrick Patterson
> Chief PKI Architect
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Best regards to you and your family
