On Jul 7, 2014, at 5:40 AM, Sanjaya Joshi <joshi.sanj...@gmail.com> wrote:
> Hello, > My application uses openssl 1.0.0, and it uses X509_check_ca() to find out > if an X509 certificate is a CA certificate, or an End-entity (EE) certificate. > > The below are the possible return codes. > > /* return codes of X509_check_ca(): > * 0 not a CA > * 1 is a CA > * 2 basicConstraints absent so "maybe" a CA > * 3 basicConstraints absent but self signed V1. > * 4 basicConstraints absent but keyUsage present and keyCertSign > asserted. > */ > > My question here is, if we get return code as 4, should we consider this as a > CA certificate or an EE certificate ? It really depends on your use case, I think. For example, one application I worked on had to “import” certificates to aid another process in locating certificates and building certificate chains (this goes back a _long_ time ago). For that one, it made more sense to treat such a cert as a CA certificate, since it was not uncommon for certificates that had their version set to V3 to be missing basicConstraints, and V1 certificates were still quite popular. The app needed to be able to import such certificates into locations for most efficient access (and putting a cert that should be used in building a chain into a location that wasn’t considered for building the chain would be really bad). If your use case is significantly different, you could go either way, or maybe even reject such certificates entirely. TOM > Any quick support in this regard is much appreciated. > Regards, > Sanjaya ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
