[openssl-dev] [openssl.org #4602] Missing accessors
Richard Levitte via RT
rt at openssl.org
Wed Jul 20 17:10:53 UTC 2016
On Wed Jul 20 16:58:20 2016, janjust at nikhef.nl wrote:
> Hi Richard,
>
> On 20/07/16 17:14, Richard Levitte via RT wrote:
> > On Mon Jul 11 11:34:35 2016, mattias.ellert at physics.uu.se wrote:
> >> I guess having a more restrictive accessor that only sets the
> >> EXFLAG_PROXY bit could work. I suggested the more general solution
> >> of
> >> having set/clear accessors for arbitrary flags since it was - well
> >> more
> >> general.
> > So let me ask this in a different manner, does OpenSSL 1.1 still not
> > set the
> > EXFLAG_PROXY flag correctly? In what situations does that happen?
> > That may be
> > worth a bug report of its own.
> >
> this ties into my earlier question and example of verifying proxy
> certificates. What if I want to explicitly *set* the EXFLAG_PROXY for
> a
> stack of certificates?
I assume you only want that flag set for actual proxy certs a no other. If you
simply want to make sure the certs in a stack are properly flagged by OpenSSL,
call X509_check_purpose for each of them.
> how would I do that? how can I ensure that
> OpenSSL 1.1 will automagically trigger this flag for me? Is there a
> 'get_*' function to determine which flags were set during certificate
> verification?
>
> thanks for any pointers or advice,
The function to retrieve the extension flags is X509_get_extension_flags(). You
call that for each X509*.
Incidently, this function calls X509_check_purpose to make sure the caches are
properly built up...
--
Richard Levitte
levitte at openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list