[openssl-users] Fwd: basic constraints check

Sandeep Deshpande sandeep.bvb at gmail.com
Thu May 31 22:08:13 UTC 2018


Hi Rich.. Thanks..
We want to add a check in our openssl library on client side to reject such
server certificate which are generated by the intermediate CA with missing
extensions like basic constraints..
How do we go about it?

I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca is
there. But it is getting called only for server certificate.


Thanks
Sandeep

On Thu, May 31, 2018, 11:39 PM Salz, Rich via openssl-users <
openssl-users at openssl.org> wrote:

>
>    - We generated intermediate02 such that it has "basicConstraints"
>    extension and "keyUsage" missing. Now we used this intermediate 02 CA to
>    sign server certificate.
>
>
>
> If those extensions, which are **optional,** are not present, then there
> is no limit on how the keys may be used, or how long the cert chain may
> be.  OpenSSL is doing the right thing.
>
>
>
> If you want to add them, and you cannot upgrade, then read about the
> openssl config file syntax.  Good luck.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180601/d215d3c1/attachment-0001.html>


More information about the openssl-users mailing list