Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Is there any reason why anyExtendedKeyUsage is not supported?
210 views
Skip to first unread message
miku...@gmail.com
Jan 12, 2016, 10:48:35 AM1/12/16
to
Hi all,
I noticed that anyExtendedKeyUsage is not taken into account when processing the certificate. Even though it's possible to specify it through OID or anyExtendedKeyUsage string in cfg file, and even it's parsed correctly when running openssl x509 -text command, the setting doesn't have an effect.
In the code, the OID is available, but I didn't find any place that would act based on this flag (openssl x509 -purpose doesn't reflect the purpose of such certificate).
This is the output I'm getting:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = WI, L = XX, O = XX, OU = Test, CN = XX
Validity
Not Before: Jan 12 13:17:17 2016 GMT
Not After : Oct 8 13:17:17 2018 GMT
Subject: C = US, ST = WI, L = XX, O = XX, OU = Test, CN = Entity0
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
...
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
...
X509v3 Authority Key Identifier:
...
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Agreement
X509v3 Extended Key Usage:
Any Extended Key Usage
Signature Algorithm: ecdsa-with-SHA256
...
Certificate purposes:
SSL client : No <----!!
SSL client CA : No
SSL server : No <----!!
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes <----!!
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
I know that rfc https://tools.ietf.org/html/rfc5280#page-44 says:
Applications that require the presence of a
particular purpose MAY reject certificates that include the
anyExtendedKeyUsage OID but not the particular OID expected for the
application.
I would guess somebody had a good reason to reject this OID. Can anybody give a hint what is the rationale behind that? Sorry for using this group instead of users group, but as it's a design decision, I'm counting on getting to somebody with this information.
Cheers,
Jerzy
I noticed that anyExtendedKeyUsage is not taken into account when processing the certificate. Even though it's possible to specify it through OID or anyExtendedKeyUsage string in cfg file, and even it's parsed correctly when running openssl x509 -text command, the setting doesn't have an effect.
In the code, the OID is available, but I didn't find any place that would act based on this flag (openssl x509 -purpose doesn't reflect the purpose of such certificate).
This is the output I'm getting:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = WI, L = XX, O = XX, OU = Test, CN = XX
Validity
Not Before: Jan 12 13:17:17 2016 GMT
Not After : Oct 8 13:17:17 2018 GMT
Subject: C = US, ST = WI, L = XX, O = XX, OU = Test, CN = Entity0
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
...
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
...
X509v3 Authority Key Identifier:
...
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Agreement
X509v3 Extended Key Usage:
Any Extended Key Usage
Signature Algorithm: ecdsa-with-SHA256
...
Certificate purposes:
SSL client : No <----!!
SSL client CA : No
SSL server : No <----!!
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes <----!!
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
I know that rfc https://tools.ietf.org/html/rfc5280#page-44 says:
Applications that require the presence of a
particular purpose MAY reject certificates that include the
anyExtendedKeyUsage OID but not the particular OID expected for the
application.
I would guess somebody had a good reason to reject this OID. Can anybody give a hint what is the rationale behind that? Sorry for using this group instead of users group, but as it's a design decision, I'm counting on getting to somebody with this information.
Cheers,
Jerzy
0 new messages