On Mon, Nov 09, 2009, Bene? Vladimr wrote: > I'am afraid we cann't call no modified openssl by command line for > verification signature with purpose verification certificate if > certificate includes both X509v3 Key Usage and X509v3 Extended Key > Usage. > > There is "Digital Signature" value on X509v3 Key Usage so imho > openssl wouldn't return error "unsupported certificate purpose" > becouse this certificate can be used for digital signing. Imho > issuer created this certificate correctly and this certificate can > be used for digital signing. >
If you can't change the command line or the certificate then you are out of luck. By default a PKCS#7 structure is used for S/MIME mail and that extended key usage specificaly excludes that possibility: i.e. the CA didn't intend that purpose. The extensions each place restrictions on how the key can be used it is an AND and not an OR operation. So key usage says you can only use the key for digital signatures AND EKU also says you can only use if for SSL client auth. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
