> -----Original Message----- > From: Erwann Abalea > > Bonjour, > > Le 21/05/2012 14:10, Serge Emantayev a écrit : > > Hello openSSL gurus, > > > > I faced an issue of pathlen constraint checking by openSSL > when verifying the client certificate. I did few studies for > how openSSL does that and I appreciate your assistance on > clarifying the issue. > > > > 1. The certificate chain with a pathlen constraint defined > in a root CA: > > Root CA, pathlen:1 > > \ policy CA, pathlen:none > > \ issuer CA, pathlen:none > > \ client certificate > > > > In the first case openSSL does not verify the certificate > correctly (i.e. the verification succeeds). It ignores the > pathlen constraint defined in the root CA. > > This is conformant with X.509. The basicConstraints extension is not > taken in consideration if present in a trust anchor (a root > certificate > is a trust anchor). > Download X.509 recommendation, see chapter 10 (from memory), the > validation algorithm is described.
Actually, I find this hard to believe. The verifying party can deem any certificate as trusted and thereby making it its trust anchor. Nevertheless the verification process needs to take into account the extensions of the trust anchor and I don't see any reason to exclude basicConstraints. Can you please cite the relevant part of the validation algorithm that you reference? Patrick Eisenacher ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
