That is what I guessed, but I could not figure out the execution path from
X509_verify_cert() to this call. Actually I could not find out how
ctx-param-purpose in check_chain_extensions() is set which leads to call
X509_check_purpose().
By the way, shouldn't checking on 'ca' be called before xku checking in
check_purpose_ssl_client()?
Thanks,
-binlu
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Michael Wojcik
Sent: Tuesday, April 01, 2014 6:28 AM
To: openssl-users@openssl.org
Subject: RE: where are key usages checked?
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Bin Lu
Sent: Monday, 31 March, 2014 16:34
During SSL handshake with client cert auth, is openssl checking the
key usages, such as digital signature, non-repudiation etc, for the
client cert passed in (to make sure it is a valid client cert)? If it
is, where is the code that does it? I cannot find it in X509_verify_cert().
Look at crypto/x509v3/v3_purp.c. In 1.0.1c, check_purpose_ssl_client() has a
couple of key-usage checks, for example:
-
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int
ca) {
if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
if(ca) return check_ssl_ca(x);
/* We need to do digital signatures with it */
if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
/* nsCertType if present should allow SSL client use */
if(ns_reject(x, NS_SSL_CLIENT)) return 0;
return 1;
}
-
ku_reject tests the regular key usage, and xku_reject tests the extended key
usage, if the certificate includes the appropriate extension.
I haven't actually stepped through the code in question, but it appears to be
what you're looking for.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org