On Sun, Apr 29, 2001 at 01:22:28AM +0200, Stefan Traby wrote:
> The file "log" created from the script below:
> ----------------------------------------------------------------------
> pkcs12 ca nesting level: 0 pkcs12 rc=0
...
> pkcs12 ca nesting level: 8 pkcs12 rc=0
> pkcs12 ca nesting level: 9 pkcs12 rc=139
> ----------------------------------------------------------------------
X509_STORE_CTX_init() (x509_vfy.c) sets the nesting to 9 (black magic
value ?) by default.
After increasing ctx->depth, it was possible to
nest CA's to a higher level.
Even IE 5.01 supports at least 257 levels of nested CA's (tested,
certs created by openssl after patching, the pkcs12-file was 216992
bytes large) and I guess that no standard suggests or enforces a
nesting level limit of 9. (Stupid default: As long as it's possible to
sign certs illegally (expiration time) the default limit should be higher).
I'm now really surprised that openssl works at all, I see at bugs
in frontend and backend there (honoring the fact that
X509_STORE_CTX_get_error() after X509_verify_cert() returns
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT which should be _clearly_
X509_V_ERR_CERT_CHAIN_TOO_LONG in that case).
--
ciao -
Stefan
" Man gebe jedem Niedersachsen - seinen eigenen Castor-Kasten. "
Stefan Traby Linux/ia32 fax: +43-3133-6107-9
Mitterlasznitzstr. 13 Linux/alpha phone: +43-699-10157505
8302 Nestelbach Linux/sparc http://www.hello-penguin.com
Austria mailto:[EMAIL PROTECTED]
Europe mailto:[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
