开发者

What is meant by "Purpose " and its value in the Certificate verification?

can anyone tell me what the "Purpose" values are used for while checking certificates and what they开发者_运维问答 mean?


For an overview of what they mean have a look at the Certificate Extensions section in OpenSSL's x509 man page.

This is how they relate to code (taken from v3_purp.c):

static X509_PURPOSE xstandard[] = {
{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
{X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
{X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
};

When checking for a purpose programmatically, you usually only have to deal with the integer constants such as X509_PURPOSE_SSL_SERVER. These purposes are used during certificate validation. The certificate (path) is validated and finally OpenSSL checks whether the certificate at hand contains an ExtendedKeyUsage extension that contains the requested "purposes". If it does not, the certificate will be rejected.

OpenSSL applies reasonable defaults where possible, but if you have special requirements you may add your own purposes to be checked during certificate validation. It is also possible to check for custom ExtendedKeyUsages if you wish to, but usually the predefined default values suffice.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜