> > I've come across an issue with extensions. I have a S/MIME signed > message, where the signing cert has signing + encrypting Key Usage flags, > and SSL server Extended Key Usage flags.
> > Because there is a Ext. Key Usage flags set, but not the S/MIME one then > the cert validation procedure fails, hence the signature verification fails. > > The Extended Key Usage flag is not marked as a critical extension, so in > theory it should pass OK. > > There are a number of reasons for this as far as I can tell. > > Firstly, within the function x509v3_cache_extensions() in > x509v3/v3_purp.c, the last bit of code checks for all extensions, looking > for any that are critical. Strangely it looks to me like only extensions > that are "critical and not supported" triggers the setting of the flags to > include EXFLAG_CRITICAL. Should that 'not' be in there? in X509 and RFC3280 "Critical" means that if you don't know how to handle an entension, you can ignore it. if you know how to handle it, you treat it independantly of critical or not. there was a defect report in X509 to have this interpretation changed, in older versions of 509 and PKIX there was indee a three state logic. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
