On 2009.06.04 at 09:04:11 +1000, Brad Mitchell wrote: > > The reason we use command-line utilities to verify is for transparency. > Data could be used in the courts for example and having that "hey.. go > download openssl and verify it yourself" is a lot better than.. here is a > util we wrote to verify the token. WHAT? Your util? sure..... > > So the issue with ignoring those extensions within your own app will > probably work for you depending on your situation. In my case, it is not > really an option. > > I'm not really sure why this particular extension is marked as critical. It > does seem a bit weird. Microsoft aren't exactly the most compliant company > out there when it comes to some industry standards...
Hm, description of the X509_F_FLAG_INGORE_CRITICAL reads "Ignore UNKNOWN critical extensions". May be it is better to make these Microsoft-specific extension KNOWN to OpenSSL, even it wouldn't do anything with their values. Just "a thing which MS-CA can put into certificate, and mark critical, which doesn't affect verification process". It is quite easy to do: just add OID of this extension into objects.txt with suitable shortname and longname, and add it into array in the X509_supported_extension function. Really I think it might be worth effort to make list of supported-extensions user-configurable. Applications can handle extensions, which are not supported by OpenSSL itself using verify callback function. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
