[openssl-users] openssl 1.1 certificate verification fails with non-standard public key algorithm
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jul 25 20:27:53 UTC 2018
> On Jul 25, 2018, at 3:00 PM, Ken Goldman <kgoldman at us.ibm.com> wrote:
>
>
> If you're suggesting that altering the above code to do the level check before the call to get pkey, I think that would fix my problem.
Yes, that's what I'm saying, but also asking the broader list for feedback
on such a change. Should security level zero succeed even with unsupported
EE keys (which somehow get used with some other software???).
> ... if I can set level to a negative value. How do I set level? Is there an API or a configuration file.
It does not need to be negative, the test is "<= 0", but the default is
in fact -1 (not set). There is indeed a function for setting a non-default
security level:
X509_VERIFY_PARAM_set_auth_level()
and it is documented.
--
Viktor.
More information about the openssl-users
mailing list