> From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bin Lu > Sent: Monday, 31 March, 2014 16:34 > > During SSL handshake with client cert auth, is openssl checking the key > usages, > such as digital signature, non-repudiation etc, for the client cert passed in > (to > make sure it is a valid client cert)? If it is, where is the code that does > it? I > cannot find it in X509_verify_cert().
Look at crypto/x509v3/v3_purp.c. In 1.0.1c, check_purpose_ssl_client() has a couple of key-usage checks, for example: ----- static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) return check_ssl_ca(x); /* We need to do digital signatures with it */ if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; /* nsCertType if present should allow SSL client use */ if(ns_reject(x, NS_SSL_CLIENT)) return 0; return 1; } ----- ku_reject tests the regular key usage, and xku_reject tests the extended key usage, if the certificate includes the appropriate extension. I haven't actually stepped through the code in question, but it appears to be what you're looking for. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org