Discussion:
"critical,CA:FALSE" but "Any Purpose CA : Yes" ?
Martin Kraemer
2005-07-05 14:36:30 UTC
Permalink
When creating a certificate using an openssl CA, I specify the x509v3
extension basicConstraints = critical,CA:FALSE.
Looking at the generated certificate using

% openssl x509 -noout -text -purpose -in nonca.pem
...
X509v3 Basic Constraints: critical
CA:FALSE <====================
...
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes <==================
OCSP helper : Yes
OCSP helper CA : No

How can this be, CA usage is "critical"ly forbidden, yet the CA
usage for "Any Purpose" is possible ??? Is this an openssl problem,
or a misunderstanding on my side?

Irritated,

Martin
--
<***@Fujitsu-Siemens.com> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Dr. Stephen Henson
2005-07-05 15:12:26 UTC
Permalink
Post by Martin Kraemer
When creating a certificate using an openssl CA, I specify the x509v3
extension basicConstraints = critical,CA:FALSE.
Looking at the generated certificate using
% openssl x509 -noout -text -purpose -in nonca.pem
...
X509v3 Basic Constraints: critical
CA:FALSE <====================
...
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes <==================
OCSP helper : Yes
OCSP helper CA : No
How can this be, CA usage is "critical"ly forbidden, yet the CA
usage for "Any Purpose" is possible ??? Is this an openssl problem,
or a misunderstanding on my side?
The "Any Purpose" setting is something which lets anything through and
performs no checks at all. It was put there originally as a way for people to
use broken certificates if they had no other choice and could live with the
consequences. This setting has to be explicitly requested in code: meaning it
can't be accidentally set.

Since then CA checks have been made mandatory in the code even if "Any
Purpose" is set. So if you actually tried to use that certificate as a CA it
would be rejected.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Martin Kraemer
2005-07-05 15:45:09 UTC
Permalink
This post might be inappropriate. Click to display it.
Martin Kraemer
2005-07-05 15:51:19 UTC
Permalink
Post by Martin Kraemer
If that is so, then how can the following happen (with a recent
Oops - it can because here, the "critical" flag is missing. Sorry.

Martin
--
<***@Fujitsu-Siemens.com> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Dr. Stephen Henson
2005-07-05 16:03:49 UTC
Permalink
Post by Martin Kraemer
Post by Dr. Stephen Henson
Since then CA checks have been made mandatory in the code even if "Any
Purpose" is set. So if you actually tried to use that certificate as a CA it
would be rejected.
If that is so, then how can the following happen (with a recent
[example of ca utility]

The 'ca' utility doesn't currently check the validity of the CA certificate it
is signing with. So it will happily sign with an invalid CA but the
verification routines will reject it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Loading...