Re: [openssl-users] Fwd: basic constraints check
1.0.2j On Fri, Jun 1, 2018, 3:52 AM Viktor Dukhovni wrote: > > > > On May 31, 2018, at 6:08 PM, Sandeep Deshpande > wrote: > > > > Hi Rich.. Thanks.. > > We want to add a check in our openssl library on client side to reject > such server certificate which are generated by the intermediate CA with > missing extensions like basic constraints.. > > How do we go about it? > > > > I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is > there. But it is getting called only for server certificate. > > Are you using OpenSSL 1.1.0 or OpenSSL 1.0.2? > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fwd: basic constraints check
> On May 31, 2018, at 6:08 PM, Sandeep Deshpande wrote: > > We want to add a check in our openssl library on client side to reject such > server certificate which are generated by the intermediate CA with missing > extensions like basic constraints.. > How do we go about it? > > I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is > there. But it is getting called only for server certificate. In OpenSSL 1.0.2 CA certificates found in the trust store are not checked. This is fixed in 1.1.0. You can always implement a verify callback to apply additional constraints. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fwd: basic constraints check
I don’t recall the details of 1.0.2, sorry. Maybe someone else on this list knows the best place to insert your checks. From: Sandeep Deshpande Date: Thursday, May 31, 2018 at 6:08 PM To: Rich Salz , openssl-users Subject: Re: [openssl-users] Fwd: basic constraints check Hi Rich.. Thanks.. We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints.. How do we go about it? I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate. Thanks Sandeep On Thu, May 31, 2018, 11:39 PM Salz, Rich via openssl-users mailto:openssl-users@openssl.org>> wrote: * We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server certificate. If those extensions, which are *optional,* are not present, then there is no limit on how the keys may be used, or how long the cert chain may be. OpenSSL is doing the right thing. If you want to add them, and you cannot upgrade, then read about the openssl config file syntax. Good luck. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dusers=DwMFaQ=96ZbZZcaMF4w0F4jpN6LZg=4LM0GbR0h9Fvx86FtsKI-w=DKOBwoCo7ectmyCA7_m3cOyRKCM9lxSO6nxCei8nOK4=RwnA-oRy8UC_wVuu40XbIthr0H-ML6HQhIGGl1uc3d4=> -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fwd: basic constraints check
> On May 31, 2018, at 6:08 PM, Sandeep Deshpande wrote: > > Hi Rich.. Thanks.. > We want to add a check in our openssl library on client side to reject such > server certificate which are generated by the intermediate CA with missing > extensions like basic constraints.. > How do we go about it? > > I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is > there. But it is getting called only for server certificate. Are you using OpenSSL 1.1.0 or OpenSSL 1.0.2? -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fwd: basic constraints check
Hi Rich.. Thanks.. We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints.. How do we go about it? I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is there. But it is getting called only for server certificate. Thanks Sandeep On Thu, May 31, 2018, 11:39 PM Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > >- We generated intermediate02 such that it has "basicConstraints" >extension and "keyUsage" missing. Now we used this intermediate 02 CA to >sign server certificate. > > > > If those extensions, which are **optional,** are not present, then there > is no limit on how the keys may be used, or how long the cert chain may > be. OpenSSL is doing the right thing. > > > > If you want to add them, and you cannot upgrade, then read about the > openssl config file syntax. Good luck. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fwd: basic constraints check
* We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server certificate. If those extensions, which are *optional,* are not present, then there is no limit on how the keys may be used, or how long the cert chain may be. OpenSSL is doing the right thing. If you want to add them, and you cannot upgrade, then read about the openssl config file syntax. Good luck. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users