Thanks for the reply Tom and Kyle H.
Now i have below 2 questions:
(1) Based on application's need, can we assume return codes 2, 3 and 4 as
non-CA ?
(2) If we get return code 4 "basicConstraints absent but keyUsage present
and keyCertSign asserted" for a certificate, is this a valid certificate ?
Because RFC 3280 says:
"The keyCertSign bit is asserted when the subject public key is
used for verifying a signature on public key certificates. If the
keyCertSign bit is asserted, then the cA bit in the basic
constraints extension (section 4.2.1.10) MUST also be asserted."
Regards,
Sanjaya
On Tue, Jul 8, 2014 at 2:16 AM, Kyle Hamilton <aerow...@gmail.com> wrote:
>
> On 7/7/2014 2:40 AM, Sanjaya Joshi wrote:
> > Hello,
> > My application uses openssl 1.0.0, and it uses X509_check_ca() to
> > find out if an X509 certificate is a CA certificate, or an End-entity
> > (EE) certificate.
> >
> > The below are the possible return codes.
> >
> > /* return codes of X509_check_ca():
> > * 0 not a CA
> > * 1 is a CA
> > * 2 basicConstraints absent so "maybe" a CA
> > * 3 basicConstraints absent but self signed V1.
> > * 4 basicConstraints absent but keyUsage present and
> > keyCertSign asserted.
> > */
> >
> > My question here is, if we get return code as 4, should we consider
> > this as a CA certificate or an EE certificate ?
> >
> > Any quick support in this regard is much appreciated.
> > Regards,
> > Sanjaya
>
> This depends on your environment, and the types of certificates that the
> CAs used issue.
>
> The reason the codes are differentiated is because the authors of the
> library can't make a blanket determination for the library's clients. :P
>
> -Kyle H
>
>
