It does not appear there is any code in OpenSSL to make sure all critical extensions are checked during a verify. This could be considered a bug. The default behavior should be to reject any critical extensions which are not understood.
I realize that this could be completely implemented in the verify callback, but this then puts the responsibility on the application programmer to provide this in the callback. OpenSSL does check some extensions and I suspect will check additional extensions in the future. But there will always be extensions which OpenSSL will not understand, and the application will still have to process these via a callback of some type. I would like to propose that the extensions be checked by a combination of the OpenSSL code and the verify callback. As each extension is processed, and is accepted, a flag be set saying such. This would be done both by the OPenSSL code and the verify callback. After all verify processing is done, if there are any critical extensions still unchecked, the verify would fail. This would then not allow any new critical extensions to slip by as is the case today. A possible way to do this would be to add an stack of extensions check flags to the X509_CERT_AUX. It would be initialized with the list of extensions as all being unchecked. As the verify and verify callback proceed, they would each update this indicating the extension had been checked and acceptable. Then as the last step in a verify, the stack would be checked to make sure there where no missed extensions. We are running into this problem with our Globus code, where we would like to add restrictions in extensions, and make sure they are honored by other applications using certificates, including non Globus applications. -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
