The "Any Purpose" setting is something which lets anything through and
performs no checks at all. It was put there originally as a way for people to
use broken certificates if they had no other choice and could live with the
consequences. This setting has to be explicitly requested in code: meaning it
can't be accidentally set.

Since then CA checks have been made mandatory in the code even if "Any
Purpose" is set. So if you actually tried to use that certificate as a CA it
would be rejected.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

If that is so, then how can the following happen (with a recent
openssl-dev):

% openssl version -a
OpenSSL 0.9.9-dev XX xxx XXXX
built on: Wed Jun 29 12:31:27 CEST 2005
platform: BSD-x86-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/usr/local/ssl"

% openssl x509 -in ***@example.com.pem -noout -text -purpose
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c0:ed:2a:bc:67:03:2a:69:c3:46:23:49:dd:a8:c3:a0
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=XY, O=BTG Development CA (3), OU=Basic CA, CN=David Deer/emailAddress=***@example.com
Validity
Not Before: Jul 5 11:05:50 2005 GMT
Not After : Jul 7 11:05:50 2005 GMT
Subject: C=XY, O=BTG Development CA (3), OU=Basic CA, CN=Martin Kraemer/emailAddress=***@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:...:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F
X509v3 Authority Key Identifier:
keyid:23:B4:0C:4C:FA:26:E3:76:3B:02:7F:DC:CC:8D:24:D7:48:8C:95:E7
DirName:/C=XY/O=BTG Development CA (3)/CN=David Deer/emailAddress=***@example.com
serial:C4:A5:4C:5D:BB:C3:89:C7:F8:8B:94:49:D8:C1:E2:0C

X509v3 Subject Alternative Name:
email:***@example.com
X509v3 Issuer Alternative Name:
email:***@example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 CRL Distribution Points:
URI:http://ca.example.com/ca/3/basic_C4A54C5DBBC389C7F88B9449D8C1E20C.crl

Netscape CA Revocation Url:
http://ca.example.com/ca/3/basic_C4A54C5DBBC389C7F88B9449D8C1E20C.crl
Netscape Comment:
created by BaDCA
1.3.6.1.4.1.18060.101.1:
committer
Signature Algorithm: sha1WithRSAEncryption
37:...:9a
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No

% openssl ca -config openssl.cnf -cert ***@example.com.pem -keyfile ***@example.com.key -verbose -in ***@example.com.csr
Using configuration from openssl.cnf
Enter pass phrase for ***@example.com.key:
...
9 entries loaded from the database
generating index
message digest is md5
policy is policy_match
next serial number is 0123456789ABCDEF0123456789ABCDF5
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=Martin Kraemer/emailAddress=***@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:...:29
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
53:...:60
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Successfully added extensions from config
Certificate Details:
Serial Number:
01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:f5
Validity
Not Before: Jul 5 15:33:22 2005 GMT
Not After : Jul 5 15:33:22 2006 GMT
Subject:
commonName = Martin Kraemer
emailAddress = ***@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F
X509v3 Authority Key Identifier:
keyid:C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F
DirName:/C=XY/O=BTG Development CA (3)/OU=Basic CA/CN=David Deer/emailAddress=***@example.com
serial:C0:ED:2A:BC:67:03:2A:69:C3:46:23:49:DD:A8:C3:A0

Certificate is to be certified until Jul 5 15:33:22 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing ./demoCA/newcerts/0123456789ABCDEF0123456789ABCDF5.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:f5
Signature Algorithm: md5WithRSAEncryption
Issuer: C=XY, O=BTG Development CA (3), OU=Basic CA, CN=Martin Kraemer/emailAddress=***@example.com
Validity
Not Before: Jul 5 15:33:22 2005 GMT
Not After : Jul 5 15:33:22 2006 GMT
Subject: CN=Martin Kraemer/emailAddress=***@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:...:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F
X509v3 Authority Key Identifier:
keyid:C4:40:46:89:F2:60:86:3A:23:80:CF:46:E2:B5:B4:48:BA:44:94:0F
DirName:/C=XY/O=BTG Development CA (3)/OU=Basic CA/CN=David Deer/emailAddress=***@example.com
serial:C0:ED:2A:BC:67:03:2A:69:C3:46:23:49:DD:A8:C3:A0

Signature Algorithm: md5WithRSAEncryption
12:...:aa
-----BEGIN CERTIFICATE-----
MIIEUzCCAzugAwIBAgIQASNFZ4mrze8BI0VniavN9TANBgkqhkiG9w0BAQQFADB8
MQswCQYDVQQGEwJHQjEfMB0GA1UEChMWQVNGIERldmVsb3BtZW50IENBICgzKTER
MA8GA1UECxMIQmFzaWMgQ0ExFzAVBgNVBAMTDk1hcnRpbiBLcmFlbWVyMSAwHgYJ
KoZIhvcNAQkBFhFtYXJ0aW5AYXBhY2hlLm9yZzAeFw0wNTA3MDUxNTMzMjJaFw0w
NjA3MDUxNTMzMjJaMDsxFzAVBgNVBAMTDk1hcnRpbiBLcmFlbWVyMSAwHgYJKoZI
hvcNAQkBFhFtYXJ0aW5AYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANfxtNJRRCMBuP79GjcCJH5vue9S00CfjMi8MAnAJMtOYkKg3VPb
ovtmmGmLmlrcXOc4J4heiw4QUNnBTaLlEdn/+iZD8KPF42EI+Au6dZZOSxI2X59P
HDViLj68zXOk1n0Li/aBU5RrFfn1DTUvQBb4xH5zpAOn0e9juLqp8fMOaJ/DUwwH
LITGzE9vis6NCcwglomgWn/+QaTY8NuWNr0sLN97P4L1BKF4SuwZU/oO+mpR4H1a
kDdWEhNKOLoNSCdeBsnp4jlnwceBzNmfXYP1UJcmBQpOcECtDMtbn52FaywcIGYI
+mYKzSXCLpw5aKs9A6V+UKzmPRL323DD9CkCAwEAAaOCARAwggEMMAkGA1UdEwQC
MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
MB0GA1UdDgQWBBTEQEaJ8mCGOiOAz0bitbRIukSUDzCBsQYDVR0jBIGpMIGmgBTE
QEaJ8mCGOiOAz0bitbRIukSUD6F7pHkwdzELMAkGA1UEBhMCR0IxHzAdBgNVBAoT
FkFTRiBEZXZlbG9wbWVudCBDQSAoMykxETAPBgNVBAsTCEJhc2ljIENBMRMwEQYD
VQQDEwpEYXZpZCBSZWlkMR8wHQYJKoZIhvcNAQkBFhBkcmVpZEBhcGFjaGUub3Jn
ghEAwO0qvGcDKmnDRiNJ3ajDoDANBgkqhkiG9w0BAQQFAAOCAQEAEoAsNUfSPO/H
w/sGE5teuXcH88rawJpNO+UuhQdBn19H4IpIoiI9Ftio09ku9rY0Wctpc8GEN1eO
ZAwmbwjDsBhI40TSQkQP9cCryehAkuwBVvcyvajPRQwRryZEQGfYMl18oGoZiX0X
llGG3eio1luUmLDO7hjBwEdN+8MQYburwpIzJHo86Zs5+8bWa5iCKZk/DGtjjOD2
eFx5+6ybcOg6vHE1YUlq5b/fzgUQ5azxiMMKDhGX0sMD9ZphGkIc0u3Z2uAQDPEM
6Zlab//NaiDgkCsjbqzV39EzOmmZEexht1k71V7J/nYarXQ1gfh33M2k1AEqmCeN
U9QWqJUKqg==
-----END CERTIFICATE-----
Data Base Updated

It should have rejected the client/server cert for CA use, no?

Martin