On Sun, 8 Feb 2004, Richard Levitte - VMS Whacker wrote: > dave.roberts> The Extended Key Usage flag is not marked as a critical > dave.roberts> extension, so in theory it should pass OK. > > This is a fairly common misunderstanding. IF an extension is > understood and supported by the application or library, it MUST be > processed regardless of the critical flag. IF an extension is NOT > understood and supported by the application or library, it can be > ignored ONLY IF the critical flag is not set, otherwise the > verification path is invalidated.
I guess I should have double checked the RFC. Thanks for the correction. I suppose there's a little confusion as RFC 3280, Section 4.2 only talks about extensions not recognised :-) ... but the confusion was mine. > dave.roberts> Firstly, within the function x509v3_cache_extensions() > dave.roberts> in x509v3/v3_purp.c, the last bit of code checks for all > dave.roberts> extensions, looking for any that are critical. > dave.roberts> Strangely it looks to me like only extensions that are > dave.roberts> "critical and not supported" triggers the setting of the > dave.roberts> flags to include EXFLAG_CRITICAL. Should that 'not' be > dave.roberts> in there? > > No. EXFLAG_CRITICAL means it has found a critical extension that is > not supported by OpenSSL, and that the verification should therefore > fail. That makes much more sense with what I'm seeing. - DR ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]