francoise lacambre wrote: > > hello, > I have a little question about "check_purpose_ssl_server" > and "check_purpose_ssl_client". > "check_chain_purpose" function calls "X509_check_purpose" > for all "untrusted" certificats in the chain. > This function calls a check_purpose function. > In "SSL_SERVER" (or "SSL_CLIENT") case, > "check_purpose_ssl_server" (or "check_purpose_ssl_client") > function verifies that, if "ExtendedKeyUsage" attribut is > set, it contents the "XKU_SSL_SERVER" or "XKU_SGC" (or > "XKU_SSL_CLIENT) attribut bit. > This test is meaningfull on the end user certificate but not > on the intermediaite CA certificat. > Do you agree ?
In CA certficates the extended key usage extension is used (AFAIK) to restrict what kinds of end user and CA certificates can be signed by it. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
