> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bin Lu
> Sent: Monday, 31 March, 2014 16:34
>
> During SSL handshake with client cert auth, is openssl checking the key
> usages,
> such as digital signature, non-repudiation etc, for the client cert passed in
> (to
> make sure it is a valid client cert)? If it is, where is the code that does
> it? I
> cannot find it in X509_verify_cert().
Look at crypto/x509v3/v3_purp.c. In 1.0.1c, check_purpose_ssl_client() has a
couple of key-usage checks, for example:
-----
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int
ca)
{
if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
if(ca) return check_ssl_ca(x);
/* We need to do digital signatures with it */
if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
/* nsCertType if present should allow SSL client use */
if(ns_reject(x, NS_SSL_CLIENT)) return 0;
return 1;
}
-----
ku_reject tests the regular key usage, and xku_reject tests the extended key
usage, if the certificate includes the appropriate extension.
I haven't actually stepped through the code in question, but it appears to be
what you're looking for.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
