diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-07-03 21:19:55 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-07-16 21:48:22 +0200 |
commit | 42bb51e59308b3ebc5cc1c35ff4822fba6b52d79 (patch) | |
tree | d6fcd1454fe15a16edddae32ecc15a50ebeaa26d /doc/man1 | |
parent | e2590c3a162eb118c36b09c2168164283aa099b4 (diff) |
x509_vfy.c: Improve key usage checks in internal_verify() of cert chains
If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.
Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)
Diffstat (limited to 'doc/man1')
-rw-r--r-- | doc/man1/verify.pod | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod index 63ba850b91..18e803c8d6 100644 --- a/doc/man1/verify.pod +++ b/doc/man1/verify.pod @@ -98,8 +98,11 @@ current system time. B<timestamp> is the number of seconds since =item B<-check_ss_sig> -Verify the signature on the self-signed root CA. This is disabled by default -because it doesn't add any security. +Verify the signature of +the last certificate in a chain if the certificate is supposedly self-signed. +This is prohibited and will result in an error if it is a non-conforming CA +certificate with key usage restrictions not including the keyCertSign bit. +This verification is disabled by default because it doesn't add any security. =item B<-CRLfile file> |