> Since then CA checks have been made mandatory in the code even if "Any > Purpose" is set. So if you actually tried to use that certificate as a CA it > would be rejected.
If that is so, then how can the following happen (with a recent openssl-dev): % openssl version -a OpenSSL 0.9.9-dev XX xxx XXXX built on: Wed Jun 29 12:31:27 CEST 2005 platform: BSD-x86-elf options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM OPENSSLDIR: "/usr/local/ssl" % openssl x509 -in [EMAIL PROTECTED] -noout -text -purpose Certificate: Data: Version: 3 (0x2) Serial Number: c0:ed:2a:bc:67:03:2a:69:c3:46:23:49:dd:a8:c3:a0 Signature Algorithm: sha1WithRSAEncryption Issuer: C=XY, O=BTG Development CA (3), OU=Basic CA, CN=David Deer/[EMAIL PROTECTED] Validity Not Before: Jul 5 11:05:50 2005 GMT Not After : Jul 7 11:05:50 2005 GMT Subject: C=XY, O=BTG Development CA (3), OU=Basic CA, CN=Martin Kraemer/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:...:29 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F X509v3 Authority Key Identifier: keyid:23:B4:0C:4C:FA:26:E3:76:3B:02:7F:DC:CC:8D:24:D7:48:8C:95:E7 DirName:/C=XY/O=BTG Development CA (3)/CN=David Deer/[EMAIL PROTECTED] serial:C4:A5:4C:5D:BB:C3:89:C7:F8:8B:94:49:D8:C1:E2:0C X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] X509v3 Issuer Alternative Name: email:[EMAIL PROTECTED] X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement X509v3 CRL Distribution Points: URI:http://ca.example.com/ca/3/basic_C4A54C5DBBC389C7F88B9449D8C1E20C.crl Netscape CA Revocation Url: http://ca.example.com/ca/3/basic_C4A54C5DBBC389C7F88B9449D8C1E20C.crl Netscape Comment: created by BaDCA 1.3.6.1.4.1.18060.101.1: committer Signature Algorithm: sha1WithRSAEncryption 37:...:9a Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No % openssl ca -config openssl.cnf -cert [EMAIL PROTECTED] -keyfile [EMAIL PROTECTED] -verbose -in [EMAIL PROTECTED] Using configuration from openssl.cnf Enter pass phrase for [EMAIL PROTECTED]: ... 9 entries loaded from the database generating index message digest is md5 policy is policy_match next serial number is 0123456789ABCDEF0123456789ABCDF5 Certificate Request: Data: Version: 0 (0x0) Subject: CN=Martin Kraemer/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:...:29 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption 53:...:60 Check that the request matches the signature Signature ok The subject name appears to be ok, checking data base for clashes Everything appears to be ok, creating and signing the certificate Successfully added extensions from config Certificate Details: Serial Number: 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:f5 Validity Not Before: Jul 5 15:33:22 2005 GMT Not After : Jul 5 15:33:22 2006 GMT Subject: commonName = Martin Kraemer emailAddress = [EMAIL PROTECTED] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F X509v3 Authority Key Identifier: keyid:C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F DirName:/C=XY/O=BTG Development CA (3)/OU=Basic CA/CN=David Deer/[EMAIL PROTECTED] serial:C0:ED:2A:BC:67:03:2A:69:C3:46:23:49:DD:A8:C3:A0 Certificate is to be certified until Jul 5 15:33:22 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries writing new certificates writing ./demoCA/newcerts/0123456789ABCDEF0123456789ABCDF5.pem Certificate: Data: Version: 3 (0x2) Serial Number: 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:f5 Signature Algorithm: md5WithRSAEncryption Issuer: C=XY, O=BTG Development CA (3), OU=Basic CA, CN=Martin Kraemer/[EMAIL PROTECTED] Validity Not Before: Jul 5 15:33:22 2005 GMT Not After : Jul 5 15:33:22 2006 GMT Subject: CN=Martin Kraemer/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:...:29 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F X509v3 Authority Key Identifier: keyid:C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F DirName:/C=XY/O=BTG Development CA (3)/OU=Basic CA/CN=David Deer/[EMAIL PROTECTED] serial:C0:ED:2A:BC:67:03:2A:69:C3:46:23:49:DD:A8:C3:A0 Signature Algorithm: md5WithRSAEncryption 12:...:aa -----BEGIN CERTIFICATE----- MIIEUzCCAzugAwIBAgIQASNFZ4mrze8BI0VniavN9TANBgkqhkiG9w0BAQQFADB8 MQswCQYDVQQGEwJHQjEfMB0GA1UEChMWQVNGIERldmVsb3BtZW50IENBICgzKTER MA8GA1UECxMIQmFzaWMgQ0ExFzAVBgNVBAMTDk1hcnRpbiBLcmFlbWVyMSAwHgYJ KoZIhvcNAQkBFhFtYXJ0aW5AYXBhY2hlLm9yZzAeFw0wNTA3MDUxNTMzMjJaFw0w NjA3MDUxNTMzMjJaMDsxFzAVBgNVBAMTDk1hcnRpbiBLcmFlbWVyMSAwHgYJKoZI hvcNAQkBFhFtYXJ0aW5AYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBANfxtNJRRCMBuP79GjcCJH5vue9S00CfjMi8MAnAJMtOYkKg3VPb ovtmmGmLmlrcXOc4J4heiw4QUNnBTaLlEdn/+iZD8KPF42EI+Au6dZZOSxI2X59P HDViLj68zXOk1n0Li/aBU5RrFfn1DTUvQBb4xH5zpAOn0e9juLqp8fMOaJ/DUwwH LITGzE9vis6NCcwglomgWn/+QaTY8NuWNr0sLN97P4L1BKF4SuwZU/oO+mpR4H1a kDdWEhNKOLoNSCdeBsnp4jlnwceBzNmfXYP1UJcmBQpOcECtDMtbn52FaywcIGYI +mYKzSXCLpw5aKs9A6V+UKzmPRL323DD9CkCAwEAAaOCARAwggEMMAkGA1UdEwQC MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBTEQEaJ8mCGOiOAz0bitbRIukSUDzCBsQYDVR0jBIGpMIGmgBTE QEaJ8mCGOiOAz0bitbRIukSUD6F7pHkwdzELMAkGA1UEBhMCR0IxHzAdBgNVBAoT FkFTRiBEZXZlbG9wbWVudCBDQSAoMykxETAPBgNVBAsTCEJhc2ljIENBMRMwEQYD VQQDEwpEYXZpZCBSZWlkMR8wHQYJKoZIhvcNAQkBFhBkcmVpZEBhcGFjaGUub3Jn ghEAwO0qvGcDKmnDRiNJ3ajDoDANBgkqhkiG9w0BAQQFAAOCAQEAEoAsNUfSPO/H w/sGE5teuXcH88rawJpNO+UuhQdBn19H4IpIoiI9Ftio09ku9rY0Wctpc8GEN1eO ZAwmbwjDsBhI40TSQkQP9cCryehAkuwBVvcyvajPRQwRryZEQGfYMl18oGoZiX0X llGG3eio1luUmLDO7hjBwEdN+8MQYburwpIzJHo86Zs5+8bWa5iCKZk/DGtjjOD2 eFx5+6ybcOg6vHE1YUlq5b/fzgUQ5azxiMMKDhGX0sMD9ZphGkIc0u3Z2uAQDPEM 6Zlab//NaiDgkCsjbqzV39EzOmmZEexht1k71V7J/nYarXQ1gfh33M2k1AEqmCeN U9QWqJUKqg== -----END CERTIFICATE----- Data Base Updated It should have rejected the client/server cert for CA use, no? Martin -- <[EMAIL PROTECTED]> | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]