In message <[EMAIL PROTECTED]> on Fri, 6 Feb 2004 10:32:45 +0000 (GMT), Dave Roberts <[EMAIL PROTECTED]> said:
dave.roberts> I've come across an issue with extensions. I have a dave.roberts> S/MIME signed message, where the signing cert has dave.roberts> signing + encrypting Key Usage flags, and SSL server dave.roberts> Extended Key Usage flags. dave.roberts> dave.roberts> Because there is a Ext. Key Usage flags set, but not the dave.roberts> S/MIME one then the cert validation procedure fails, dave.roberts> hence the signature verification fails. dave.roberts> dave.roberts> The Extended Key Usage flag is not marked as a critical dave.roberts> extension, so in theory it should pass OK. This is a fairly common misunderstanding. IF an extension is understood and supported by the application or library, it MUST be processed regardless of the critical flag. IF an extension is NOT understood and supported by the application or library, it can be ignored ONLY IF the critical flag is not set, otherwise the verification path is invalidated. dave.roberts> There are a number of reasons for this as far as I can dave.roberts> tell. dave.roberts> dave.roberts> Firstly, within the function x509v3_cache_extensions() dave.roberts> in x509v3/v3_purp.c, the last bit of code checks for all dave.roberts> extensions, looking for any that are critical. dave.roberts> Strangely it looks to me like only extensions that are dave.roberts> "critical and not supported" triggers the setting of the dave.roberts> flags to include EXFLAG_CRITICAL. Should that 'not' be dave.roberts> in there? No. EXFLAG_CRITICAL means it has found a critical extension that is not supported by OpenSSL, and that the verification should therefore fail. dave.roberts> Secondly, assuming the reverse logic of the above, there dave.roberts> is only one flag to indicate that extensions are dave.roberts> critical, therefore if any are critical, then all would dave.roberts> be treated as so. You need only one flag to say that an unsupported critical extension has been found :-). ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
