certificate purpose & smime

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

certificate purpose & smime

Peter BENKO,VSE IT Sluzby,+421-55-610-2045,+421-903-855532
Hi

I have the certificate with following purpose:
openssl x509 -purpose -noout -in crt.pem
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No

... ie certificate for SMIME signing.

But...
openssl smime -encrypt -in msg.txt -out msg.txt.p7m -text crt.pem
works well

How it is possible that I'm able to encrypt with this certificate?

Thx
Peter Benko
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: certificate purpose & smime

Dr. Stephen Henson
On Thu, Aug 18, 2005, Peter BENKO,VSE IT Sluzby,+421-55-610-2045,+421-903-855532 wrote:

> Hi
>
> I have the certificate with following purpose:
> openssl x509 -purpose -noout -in crt.pem
> Certificate purposes:
> SSL client : Yes
> SSL client CA : No
> SSL server : No
> SSL server CA : No
> Netscape SSL server : No
> Netscape SSL server CA : No
> S/MIME signing : Yes
> S/MIME signing CA : No
> S/MIME encryption : No
> S/MIME encryption CA : No
> CRL signing : No
> CRL signing CA : No
> Any Purpose : Yes
> Any Purpose CA : Yes
> OCSP helper : Yes
> OCSP helper CA : No
>
> ... ie certificate for SMIME signing.
>
> But...
> openssl smime -encrypt -in msg.txt -out msg.txt.p7m -text crt.pem
> works well
>
> How it is possible that I'm able to encrypt with this certificate?
>

OpenSSL doesn't currently enforce certificate ussages when it encrypts,
decrypts or signs S/MIME data. It does give a verification error if an
inappropriate usage is present when it verifies an S/MIME message though.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]