On Thu, Nov 20, 2003, Dave Roberts wrote: > Had an issue recently with a self-signed certificate that contained > keyUsage extensions marked as critical. A number of KU flags were set, > but the keyCertSign flag was not. > > Attempting to connect to a SSL Server secured using this certificate fails > as the OpenSSL verification routines throw it out. The same applies if a > S/MIME message comes in signed with said certificate. In > crypto/x509v3/v3_purp.c, there is the function X509_check_issued() around > line 586 (OpenSSL 0.9.7c). The last check made in there is:- > > if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return > X509_V_ERR_KEYUSAGE_NO_CERTSIGN; > > A similar check is made for the SSL connection. > > So OpenSSL's opinion seems to be that if there are keyUsage extensions, > but the keyCertSign flag is not set, then the certificate cannot be used > for signing certificates, including itself. >
I've actually seen certificate chains that require this distinction. One example looks like this... Cert1 has keyUsage keyCertSign set. Its issuer and subject names are identical. Cert2 includes keyUsage and does *not* have keyCertSign set. Its issuer and subject names are identical *and* identical to Cert1. The two certificates have different keys. That test is needed to correctly verify the chain as Cert1->Cert2. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
