policy_check on openssl verify - Openssl

This is a discussion on policy_check on openssl verify - Openssl ; Hi. On the Openssl 0.9.8h, I want to execute certificate verify that contains the certificate policy check by using "openssl verify" command. I succeed the verification though random OID is specified for the "-policy" option of "openssl verify" command. Is ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: policy_check on openssl verify

  1. policy_check on openssl verify

    Hi.

    On the Openssl 0.9.8h, I want to execute certificate verify that contains
    the certificate policy check by using "openssl verify" command.

    I succeed the verification though random OID is specified
    for the "-policy" option of "openssl verify" command.

    Is my usage wrong?


    (Use example)
    openssl verify -policy 1.2.46.67. -policy_check -CAfile cacert.pem cert.pem
    cacert.pem: OK


    (Certificate Policies in cert.pem)
    X509v3 Certificate Policies:
    Policy: 1.2.4.5
    Policy: 1.1.3.4

    Thanks!

    Takurou Saitou.


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: policy_check on openssl verify

    Hi there:

    On July 28, 2008 08:07:22 am Takurou Saitou wrote:
    > Hi.
    >
    > On the Openssl 0.9.8h, I want to execute certificate verify that contains
    > the certificate policy check by using "openssl verify" command.
    >
    > I succeed the verification though random OID is specified
    > for the "-policy" option of "openssl verify" command.
    >
    > Is my usage wrong?
    >
    >
    > (Use example)
    > openssl verify -policy 1.2.46.67. -policy_check -CAfile cacert.pem cert.pem
    > cacert.pem: OK
    >

    I think that you need to add -explicit_policy to the arguments.

    To see what it is doing, you may want to also add -policy_print

    Have fun.


    --
    Patrick Patterson
    President and Chief PKI Architect,
    Carillon Information Security Inc.
    http://www.carillon.ca
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. RE: policy_check on openssl verify

    Dear Kyle,
    Dear Patrick Patterson.
    Thank you for the reply.

    > -----Original Message-----
    > From: owner-openssl-users@openssl.org
    >
    >
    > Hi there:
    >
    > On July 28, 2008 08:07:22 am Takurou Saitou wrote:
    > > Hi.
    > >
    > > On the Openssl 0.9.8h, I want to execute certificate verify that contains
    > > the certificate policy check by using "openssl verify" command.
    > >
    > > I succeed the verification though random OID is specified
    > > for the "-policy" option of "openssl verify" command.
    > >
    > > Is my usage wrong?
    > >
    > >
    > > (Use example)
    > > openssl verify -policy 1.2.46.67. -policy_check -CAfile cacert.pem cert.pem
    > > cacert.pem: OK
    > >

    > I think that you need to add -explicit_policy to the arguments.
    >
    > To see what it is doing, you may want to also add -policy_print


    I added two options mentioned above and execute.
    The result was as follows.

    (result)
    openssl verify -policy 1.2.46.67. -policy_check -explicit_policy -policy_print
    -CAfile cacert.pem cert.pem
    ..cert.pem: error 43 at 0 depth lookup:no explicit policy
    Require explicit Policy: True
    Authority Policies:
    Policy: 1.1.3.4
    Non Critical
    No Qualifiers
    Policy: 1.2.4.5
    Non Critical
    No Qualifiers
    User Policies:

    Verify result OK was not given.

    When I perform a certificate policy check, must I reserve two options
    of "-policy_check" and "-explicit_policy" by all means?

    Thank!

    Takurou Saitou.


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread