Re: Callback suggestion for unsupported cert extensions

Wed, 03 Jun 2009 22:48:40 -0700
I agree that there should probably be a callback for extensions not recognized and supported by OpenSSL...the callback could return a failure code that openssl would look at, and if it is set to an "error" then openssl would run it's normal failure return path (up the call stack). 
If the callback returns SUCCESS, then keep going...
If a plugin is not registered for handling unknown extensions, then maybe the code should follow a configuration flag 
that says ["fail" on unknown extension] or [ignore unknown extensions]

Randy

On Jun 3, 2009, at 10:41 PM, Victor B. Wagner wrote:


On 2009.06.04 at 09:04:11 +1000, Brad Mitchell wrote:
The reason we use command-line utilities to verify is for transparency. Data could be used in the courts for example and having that "hey.. go download openssl and verify it yourself" is a lot better than.. here is a 
util we wrote to verify the token.  WHAT?  Your util? sure.....

So the issue with ignoring those extensions within your own app will
probably work for you depending on your situation. In my case, it is not 
really an option.
I'm not really sure why this particular extension is marked as critical. It does seem a bit weird. Microsoft aren't exactly the most compliant company 
out there when it comes to some industry standards...
Hm, description of the X509_F_FLAG_INGORE_CRITICAL reads "Ignore UNKNOWN 
critical extensions". May be it is better to make these
Microsoft-specific extension KNOWN to OpenSSL, even it wouldn't do
anything with their values.

Just "a thing which MS-CA can put into certificate, and mark critical,
which doesn't affect verification process".

It is quite easy to do:
just add OID of this extension into objects.txt with suitable shortname 
and longname, and add it into array in the X509_supported_extension
function.

Really I think it might be worth effort to make list of
supported-extensions user-configurable. Applications can handle
extensions, which are not supported by OpenSSL itself using verify
callback function.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to