That is what I guessed, but I could not figure out the execution path from X509_verify_cert() to this call. Actually I could not find out how ctx->param->purpose in check_chain_extensions() is set which leads to call X509_check_purpose().
By the way, shouldn't checking on 'ca' be called before xku checking in check_purpose_ssl_client()? Thanks, -binlu -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael Wojcik Sent: Tuesday, April 01, 2014 6:28 AM To: openssl-users@openssl.org Subject: RE: where are key usages checked? > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bin Lu > Sent: Monday, 31 March, 2014 16:34 > > During SSL handshake with client cert auth, is openssl checking the > key usages, such as digital signature, non-repudiation etc, for the > client cert passed in (to make sure it is a valid client cert)? If it > is, where is the code that does it? I cannot find it in X509_verify_cert(). Look at crypto/x509v3/v3_purp.c. In 1.0.1c, check_purpose_ssl_client() has a couple of key-usage checks, for example: ----- static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) return check_ssl_ca(x); /* We need to do digital signatures with it */ if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; /* nsCertType if present should allow SSL client use */ if(ns_reject(x, NS_SSL_CLIENT)) return 0; return 1; } ----- ku_reject tests the regular key usage, and xku_reject tests the extended key usage, if the certificate includes the appropriate extension. I haven't actually stepped through the code in question, but it appears to be what you're looking for. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
