RE: Certificate - if "Extended Key Usage" is defined, openssl ignore "Key Usage"

Tue, 10 Nov 2009 01:02:57 -0800 

Hello,

        thank you for answer.

        I then found RFC 3850 (e.g. on http://www.ietf.org/rfc/rfc3850.txt) 
where is piece of information corresponding to your answer:

"""
4.4.4.  Extended Key Usage Extension
...
The set of technical purposes for the certificate therefore
are the intersection of the uses indicated in the key usage and
extended key usage extensions.
"""

        So mentioned certificate really wouldn't be used for digital signing.

                Thank you V. Benes

-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: Monday, November 09, 2009 2:09 PM
To: openssl-users@openssl.org
Subject: Re: Certificate - if "Extended Key Usage" is defined, openssl ignore 
"Key Usage"

On Mon, Nov 09, 2009, Bene? Vladimr wrote:

>         I'am afraid we cann't call no modified openssl by command line for
>         verification signature with purpose verification certificate if
>         certificate includes both X509v3 Key Usage and X509v3 Extended Key
>         Usage.
>
>         There is "Digital Signature" value on X509v3 Key Usage so imho
>         openssl wouldn't return error "unsupported certificate purpose"
>         becouse this certificate can be used for digital signing.  Imho
>         issuer created this certificate correctly and this certificate can
>         be used for digital signing.
>

If you can't change the command line or the certificate then you are out of
luck. By default a PKCS#7 structure is used for S/MIME mail and that extended
key usage specificaly excludes that possibility: i.e. the CA didn't intend
that purpose.

The extensions each place restrictions on how the key can be used it is an AND
and not an OR operation. So key usage says you can only use the key for
digital signatures AND EKU also says you can only use if for SSL client auth.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to