RE: where are key usages checked?

[Michael Wojcik]

 From: owner-openssl-us...@openssl.org 
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bin Lu
 Sent: Monday, 31 March, 2014 16:34
 
 During SSL handshake with client cert auth, is openssl checking the key 
 usages,
 such as digital signature, non-repudiation etc, for the client cert passed in 
 (to
 make sure it is a valid client cert)? If it is, where is the code that does 
 it? I
 cannot find it in X509_verify_cert().

Look at crypto/x509v3/v3_purp.c. In 1.0.1c, check_purpose_ssl_client() has a 
couple of key-usage checks, for example:

-
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int 
ca)
{
if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
if(ca) return check_ssl_ca(x);
/* We need to do digital signatures with it */
if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
/* nsCertType if present should allow SSL client use */ 
if(ns_reject(x, NS_SSL_CLIENT)) return 0;
return 1;
}
-

ku_reject tests the regular key usage, and xku_reject tests the extended key 
usage, if the certificate includes the appropriate extension.

I haven't actually stepped through the code in question, but it appears to be 
what you're looking for.

-- 
Michael Wojcik
Technology Specialist, Micro Focus




This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: where are key usages checked?

[Bin Lu]

That is what I guessed, but I could not figure out the execution path from 
X509_verify_cert() to this call. Actually I could not find out how 
ctx-param-purpose in check_chain_extensions() is set which leads to call 
X509_check_purpose(). 

By the way, shouldn't checking on 'ca' be called before xku checking in 
check_purpose_ssl_client()?

Thanks,
-binlu

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Michael Wojcik
Sent: Tuesday, April 01, 2014 6:28 AM
To: openssl-users@openssl.org
Subject: RE: where are key usages checked?

 From: owner-openssl-us...@openssl.org 
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bin Lu
 Sent: Monday, 31 March, 2014 16:34
 
 During SSL handshake with client cert auth, is openssl checking the 
 key usages, such as digital signature, non-repudiation etc, for the 
 client cert passed in (to make sure it is a valid client cert)? If it 
 is, where is the code that does it? I cannot find it in X509_verify_cert().

Look at crypto/x509v3/v3_purp.c. In 1.0.1c, check_purpose_ssl_client() has a 
couple of key-usage checks, for example:

-
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int 
ca) {
if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
if(ca) return check_ssl_ca(x);
/* We need to do digital signatures with it */
if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
/* nsCertType if present should allow SSL client use */ 
if(ns_reject(x, NS_SSL_CLIENT)) return 0;
return 1;
}
-

ku_reject tests the regular key usage, and xku_reject tests the extended key 
usage, if the certificate includes the appropriate extension.

I haven't actually stepped through the code in question, but it appears to be 
what you're looking for.

--
Michael Wojcik
Technology Specialist, Micro Focus




This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org