[EMAIL PROTECTED] - Thu Mar 11 18:00:08 2004]: > Hi Steve, > > thanks for the followup. > > On Thu, 11 Mar 2004 14:33:55 +0100 (MET), "Stephen Henson via RT" writes: > >The flag X509_V_FLAG_CB_ISSUER_CHECK is not set by default and those > >"error" conditions are not sent to the verify callback because they need > >special handling. > > And in the case where the purpose of the call was to see if x was > self-signed (and it wasn't) there really isn't an "error" for the > callback to be bothered with. So even if X509_V_FLAG_CB_ISSUER_CHECK > is set, the callback should not be called - for the specific case of a > call to check_issued with x == issuer, nor should an error be recorded. >
Hence my use of the inverted commas round "error". There are some cases which might be errors and others which aren't. For example keyUsage asserted and keyCertSign not set. There are several possible ways this might be interpreted. It might not be an error condition because it will later see a certificate with keyCertSign set. It might be an error because the real certificate can't be looked up (not installed or not available). It might be an error because the certificate has the extension incorrectly set. Even in the case of issuer name and subject name not matching this case is not clear cut. There is more than one intepretation of "matching" and an application callback might decide after analysing the DNs that they do "match" under its interpretation. > >This could be a problem if an application wrongly sets the flag and has > >a verify callback returns none zero for such codes. However that's > >application error: > > Yes, but its only an error that the application is not compensating > for an error in the library. The libraray should be calling the > callback for real "errors" only. > It sometimes does indicate real errors. > >The reasoning behind that flag is that an application can use it for > >debugging or special handling purposes. But it isn't handled the same > > Hmmm ok, the comment I read suggested its use was as a double check > that the "issuer" found was indeed the correct one. But that does not > imply that the app should expect its callback to be called for every > cert - because it wasn't self-signed. > The double checks always occur its just when that flag is set the callback receives notification of them. Issuer checks can get called in other circumstances too not just the self signed check but those don't occur often in practice. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
