On Thu, Aug 29, 2002 at 10:21:39AM -0400, Shaheed Bacchus wrote:
> that's the general direction i was slowly moving towards.
> i guess one question that i have is since i have to use my
> code to do the verification process anyhow, is there any
> advantage to even using the X509_verify_cert() call?
You are missing some flexibility by having more options.
The OpenSSL developers team (in the person of Steve Henson :-) has spent
a lot of time to build a working verification mechanism. It is not just
to look up certificates and check RSA signatures. It is also about
checking CA flags, purposes (a SSL CA can only issue SSL server and
client certificates but not S/MIME certificates)...
The flexibility you request is the flexibility to shoot yourself into
your foot. I don't know what went wrong with KDE's certificate checking
(CA flags), whether they wrote their own verification routine or overrode
OpenSS'sL verification result. Anyway they managed to not correctly
check the CA flag and opened up a vulnerability.
I don't say that OpenSSL's way is perfect. We just had our own
vulnerabilities recently and we will have other vulnerabilities in
the future (unless we stop writing software). I simply want to point
out that a reliable certificate chain verification may be more
complicated than it seems on the first glance :-)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
