Le 29/11/2013 17:53, Erwann Abalea a écrit :
Le 29/11/2013 16:25, Dr. Stephen Henson a écrit :
Changing OIDs in the table is problematical. If anything uses them it could
break them in all sorts of ways. The NID_* entries would change and text based
lookup would no longer work.
The reference ntp server uses that trustRoot one, in fact. And as Rob
pointed, it compares the text representation of this OID with "Trust
Root" (the long form) to check if the certificate is trusted or not.
Similarly, if it finds a certificate with 1.3.6.1.4 OID (IANA private)
as a EKU, the long form will be "Private", and ntp will declare this
certificate as private+trusted.
Technically, the NID_* version of those OIDs are not used by ntpd. For
each extension found, an X509V3_EXT_print() is done on the extension,
the result is strcmp() with "Trust Root" and/or "Private", and internal
flags are set.
I'm not sure this code works anyway.