Re: Reg. type of certificate - CA / EE based on X509_check_ca().

Tue, 08 Jul 2014 03:59:32 -0700 

This is unfortunately something that you need to figure out for yourself.

The controlling standard is not RFC 3280, or in fact any of the RFCs. 
It is X.509, available from http://www.itu.int/.  (You can get the
latest ratified edition for no cost.)

However:

2 should probably not be considered a CA if you are expecting RFC3280
compliance.
3 is usually considered a CA, because self-signed V1 CAs were kept in
legacy production in many circumstances.  This technically violates
RFC3280, but there at least used to be many examples of things that
expected it anyway.
4 should probably not be considered a CA if you are expecting RFC3280
compliance.

-Kyle H

On 7/8/2014 1:13 AM, Sanjaya Joshi wrote:
> Thanks for the reply Tom and Kyle H.
>
> Now i have below 2 questions:
>
> (1) Based on application's need, can we assume return codes 2, 3 and 4
> as non-CA ?
> (2) If we get return code 4 "basicConstraints absent but keyUsage
> present and keyCertSign asserted" for a certificate, is this a valid
> certificate ? Because RFC 3280 says:
>
> "The keyCertSign bit is asserted when the subject public key is
>
>       used for verifying a signature on public key certificates.  If the
>
>       keyCertSign bit is asserted, then the cA bit in the basic
>
>       constraints extension (section 4.2.1.10) MUST also be asserted."
>
>
> Regards,
> Sanjaya
>
>
>
> On Tue, Jul 8, 2014 at 2:16 AM, Kyle Hamilton <aerow...@gmail.com
> <mailto:aerow...@gmail.com>> wrote:
>
>
>     On 7/7/2014 2:40 AM, Sanjaya Joshi wrote:
>     > Hello,
>     >   My application uses openssl 1.0.0, and it uses X509_check_ca() to
>     > find out if an X509 certificate is a CA certificate, or an
>     End-entity
>     > (EE) certificate.
>     >
>     > The below are the possible return codes.
>     >
>     >         /* return codes of X509_check_ca():
>     >         * 0 not a CA
>     >         * 1 is a CA
>     >         * 2 basicConstraints absent so "maybe" a CA
>     >         * 3 basicConstraints absent but self signed V1.
>     >         * 4 basicConstraints absent but keyUsage present and
>     > keyCertSign asserted.
>     >         */
>     >
>     > My question here is, if we get return code as 4, should we consider
>     > this as a CA certificate or an EE certificate ?
>     >
>     > Any quick support in this regard is much appreciated.
>     > Regards,
>     > Sanjaya
>
>     This depends on your environment, and the types of certificates
>     that the
>     CAs used issue.
>
>     The reason the codes are differentiated is because the authors of the
>     library can't make a blanket determination for the library's
>     clients. :P
>
>     -Kyle H
>
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to