Re: Removing X509 extensions

Wed, 12 Sep 2001 08:00:15 -0700 


In fact, ASN1 routines have access to X509_EXTENSION structure while
executing parsing routines. But I free that information after it.

We know about security constraints envolving removing X509v3 but code size is
really a important matter for us.

Gleison

Dr S N Henson wrote:

> Gleison Santos wrote:
> >
> > Hi, all.
> >
> > In a project I'm working now we don't want to use any X509 extensions,
> > basically due to binary size limitation.  I've commented a lot a source
> > code, removing any reference to X509_EXTENSION structure.
> >
> > But during server certificate validation I get a error while validating
> > the second certificate in the cert chain. Something get wrong while
> > executing hash function.
> >
> > I got a error (rsa_sign.c, in RSA_verify):
> >    RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
> >
> > Call Stack:
> > RSA_verify(...) line 208
> > EVP_DigestFinal(...) line 78 + 21 bytes
> > EVP_VerifyFinal(...) line 90 + 20 bytes
> > ASN1_verify(...) line 106 + 29 bytes
> > X509_verify(...) line 71 + 34 bytes
> > internal_verify(...) line 522 + 13 bytes
> >
> > Does any body knows what can be wrong? Is X509v3 really that important?
> >
>
> If a certificate contains extensions (as many do) and you remove all
> references to them then the ASN1 code will not be able to parse it.
>
> Extensions are also used for security purposes, for example to indicate
> whether a certificate is a valid CA certificate and to prevent end user
> certificates being able to masquerade as CAs.
>
> Steve.
> --
> Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the   OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to