Le 22/09/2011 16:10, Roger No-Spam a écrit :
Hi,
I'm trying to understand if openssl is a good base when implementing a
system that is to be compliant with rfc 5280. Are there any
limitations or missing parts in openssl?
Using OpenSSL, you can implement a system mostly compliant with RFC5280.
You will have to enforce some constraints by yourself, for example:
- check that the serial number of a certificate is positive and no
longer than 20 octets
- check the AVA lengths (64 for a CN, O, OU, ...)
- check that the basicConstraints extension for a CA is present and
critical, with its CA flag set
- check that the certification path of a verified certificate and the
certification path of the CRL used to check its revocation status meet
to the very same trustpoint (key)
- ... probably some others
The fact is OpenSSL is not "pure RFC5280", it's a toolkit you can use
for pretty much anything regarding PKI (X.509 and others), crypto, SSL,
... RFC5280 is a profile of X.509, i.e. X.509 with constraints.
--
Erwann ABALEA
-----
apaléostéoplasique: qui ne fait pas de vieux os