Timestamp validation checks critical flag on EKU

weber at infotech.de weber at infotech.de
Fri Jan 28 11:25:37 UTC 2022


Dear OpenSSL users,

recently we checked an older timestamp using the OpenSSL Library version 
1.1.1i.
The check revealed, that the timestamp verification failed.

Digging into the code we found that if an eku entry for timestamping is 
preset
it is expected to be marked critical (see v3_purp.c:798 ff.).

Thats's not the case for the timetamp cert in use.

We couldn'f find any source that enforces the critical flag on eku 
timestamp entries.
RFC 5280 says, that makring the EKU as critical is deliberate tu the issuer.

Any thoughts or pointer to the mentioned requirement?

Thanks in advance
--
Christian Weber


More information about the openssl-users mailing list