Joe Orton wrote:
> Are you trying to match against the contents of the (single) extKeyUsage
> extension? That isn't how PeerExtList works, or at least, was written
> and documented to work, AFAICT: PeerExtList will return a list of the
> value of each extension in the cert with the given OID.
>
> Does that make sense? This is just from reading the trunk code/docs, I
> may be missing something.
>
> To solve your problem: parsing the string which OpenSSL spits out as a
> representation of the extKeyUsage list would sound a bit hacky. I guess
> I'd recommend doing it as a set of custom variables:
>
> SSL_{CLIENT,SERVER}_EXT_KEYUSAGE_{CLIENT_AUTH,EMAIL_PROTECTION,...}
>
> which evaluate to 0 or 1 depending on whether the indicated usage is
> present in the extKeyUsage extension. Would something like that work?
The problem I'm trying to solve is that we'll be issuing certs with our
own extKeyUsage values, and I would imagine they would be inventing
values with custom oids for various purposes, so something generic would
be needed, as opposed to fixed "well known" oids.
One of the key things I was struggling with was trying to understand how
it currently was supposed to work, so I didn't hack it in the wrong
direction.
>From what I can see, we have a set of oid values (which in this case,
extKeyUsage, which contains just one value: "A,B,C") associated with a
key, which can in turn can contain a set of values (which in this case
contains "A", "B" and "C").
Looking further at the expression syntax of SSLRequire, it looks like
this might do the trick:
SSLRequire "1.3.6.1.5.5.7.3.4" in { PeerExtList("2.5.29.37") }
Let me dig and see if it works.
Regards,
Graham
--
