Bonjour,
Le 21/05/2012 14:10, Serge Emantayev a écrit :
Hello openSSL gurus,
I faced an issue of pathlen constraint checking by openSSL when verifying the
client certificate. I did few studies for how openSSL does that and I
appreciate your assistance on clarifying the issue.
1. The certificate chain with a pathlen constraint defined in a root CA:
Root CA, pathlen:1
\ policy CA, pathlen:none
\ issuer CA, pathlen:none
\ client certificate
In the first case openSSL does not verify the certificate correctly (i.e. the
verification succeeds). It ignores the pathlen constraint defined in the root
CA.
This is conformant with X.509. The basicConstraints extension is not
taken in consideration if present in a trust anchor (a root certificate
is a trust anchor).
Download X.509 recommendation, see chapter 10 (from memory), the
validation algorithm is described.
--
Erwann ABALEA
-----
Ce ne sont que des propositions. Je ne veux pas les faire passer en
force. Je pense que si mes idées doivent être reprises, elles ne
doivent pas passer au vote, pour plusieurs raison :
-+- BC in : http://neuneu.ctw.cc - Neuneu sans vote et sans forcer -+-
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org