Repost as I didn't see this make it too the list. Typos corrected :) ---------- Forwarded message ---------- Date: Wed, 4 Feb 2004 14:16:03 +0000 (GMT) To: [EMAIL PROTECTED] Subject: X509v3 extensions
I've come across an issue with extensions. I have a S/MIME signed message, where the signing cert has signing + encrypting Key Usage flags, and SSL server Extended Key Usage flags. Because there is a Ext. Key Usage flags set, but not the S/MIME one then the cert validation procedure fails, hence the signature verification fails. The Extended Key Usage flag is not marked as a critical extension, so in theory it should pass OK. There are a number of reasons for this as far as I can tell. Firstly, within the function x509v3_cache_extensions() in x509v3/v3_purp.c, the last bit of code checks for all extensions, looking for any that are critical. Strangely it looks to me like only extensions that are "critical and not supported" triggers the setting of the flags to include EXFLAG_CRITICAL. Should that 'not' be in there? Secondly, assuming the reverse logic of the above, there is only one flag to indicate that extensions are critical, therefore if any are critical, then all would be treated as so. However, the only place that criticality is checked is in x509/x509_vfy.c function check_chain_purpose() at the top where it checks to see if critical extensions should be ignored, but are set. Steve: is this part of the area that you told me needed working on? :) As for fixing... should/could the caching function have 3 seperate "critical" flags, one each for KeyUsage, ExKeyUsage and NsCertType. These could then be checked when a lookup is made on a specific extension. Would reversing the logic for setting the flags break anything else? Is anyone else already working in this area? - DR ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
