*Tomáš Mráz*
+ * Add X.509 certificate codeSigning purpose and related checks on key usage and
+ extended key usage of the leaf certificate according to the CA/Browser Forum.
+
+ * Lutz Jänicke*
+
* Fix and extend certificate handling and the apps `x509`, `verify` etc.
such as adding a trace facility for debugging certificate chain building.
{
int i_ext;
- /* If ca is true we must return if this is a valid CA certificate. */
+ /*
+ * If require_ca is true we must check if this is a valid CA certificate.
+ * The extra requirements by the CA/Browser Forum are not checked.
+ */
if (require_ca)
return check_ca(x);
+ /*
+ * Key Usage is checked according to RFC 5280 and
+ * Extended Key Usage attributes is checked according to RFC 3161.
+ * The extra (and somewhat conflicting) CA/Browser Forum
+ * Baseline Requirements for the Issuance and Management of
+ * Publicly‐Trusted Code Signing Certificates, Version 3.0.0,
+ * Section 7.1.2.3: Code signing and Timestamp Certificate are not checked.
+ */
/*
* Check the optional key usage field:
* if Key Usage is present, it must be one of digitalSignature
{
int i_ext;
- /* If ca is true we must return if this is a valid CA certificate. */
+ /*
+ * If require_ca is true we must check if this is a valid CA certificate.
+ * The extra requirements by the CA/Browser Forum are not checked.
+ */
if (require_ca)
return check_ca(x);
/*
* Check the key usage and extended key usage fields:
*
- * Reference: CA Browser Forum,
- * Baseline Requirements for the Issuance and Management of
+ * Reference: CA/Browser Forum,
+ * Baseline Requirements for the Issuance and Management of
* Publicly‐Trusted Code Signing Certificates, Version 3.0.0,
* Section 7.1.2.3: Code signing and Timestamp Certificate
*
* Checking covers Key Usage and Extended Key Usage attributes.
- * Other properties like CRL Distribution Points and Authoriy
- * Information Access (AIA) are not checked.
+ * The certificatePolicies, cRLDistributionPoints (CDP), and
+ * authorityInformationAccess (AIA) extensions are so far not checked.
*/
/* Key Usage */
if ((x->ex_flags & EXFLAG_KUSAGE) == 0)
B<X509_PURPOSE_SMIME_ENCRYPT>, B<X509_PURPOSE_CRL_SIGN>, B<X509_PURPOSE_ANY>,
B<X509_PURPOSE_OCSP_HELPER>, B<X509_PURPOSE_TIMESTAMP_SIGN> and
B<X509_PURPOSE_CODE_SIGN>. It is also
-possible to create a custom purpose value. Setting a purpose will ensure that
-the key usage declared within certificates in the chain being verified is
-consistent with that purpose as well as, potentially, other checks. Every
-purpose also has an associated default trust value which will also be set at the
-same time. During verification this trust setting will be verified to check it
-is consistent with the trust set by the system administrator for certificates in
-the chain.
+possible to create a custom purpose value. Setting a purpose requests that
+the key usage and extended key usage (EKU) extensions optionally declared within
+the certificate and its chain are verified to be consistent with that purpose.
+For SSL client, SSL server, and S/MIME purposes, the EKU is checked also for the
+CA certificates along the chain, including any given trust anchor certificate.
+Potentially also further checks are done (depending on the purpose given).
+Every purpose also has an associated default trust value, which will also be set
+at the same time. During verification, this trust setting will be verified
+to check whether it is consistent with the trust set by the system administrator
+for certificates in the chain.
X509_STORE_CTX_set_trust() sets the trust value for the target certificate
being verified in the I<ctx>. Built-in available values for the I<trust>