4

I have a certificate received from client. In my server application I need to check if the received certificate is a CA or User certificate. I am currently using mbedTLS library for implementing security. There is an example already to check this case in JAVA. Similarly, I would like to know how to check using mbedTLS library or OpenSSL command.

Stoogy
  • 1,307
  • 3
  • 16
  • 34
jayx
  • 103
  • 9

1 Answers1

1

Have a look at the int mbedtls_x509_crt::ca_istrue field. Which is:

Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise.

https://tls.mbed.org/api/structmbedtls__x509__crt.html#a196b3a43dae5a1c0058f46075f832890

EDIT: According to your example you need to check the if MBEDTLS_X509_KU_KEY_CERT_SIGN (link) of the key_usage (link) is set in the mbedtls_x509_crt structure.

Stoogy
  • 1,307
  • 3
  • 16
  • 34
  • 1
    The field `ca_istrue` is used to check whether the certificate belongs to CA or not. My requirement is to check whether the certificate is User one or the CA (which is used to sign the certificates) – jayx Apr 08 '19 at 12:40
  • 1
    In my certificates, The returned values while reading the `keyUsage` are: CA - `0xE6` User Certificate `0xF4` which means in both the cases `MBEDTLS_X509_KU_KEY_CERT_SIGN` is set. I have done little bit of research on this part. The CRL signing bit `MBEDTLS_X509_KU_CRL_SIGN` is set only for CA certificate. Shall we use this bit to verify it is CA certificate? – jayx Apr 11 '19 at 07:35
  • 1
    To add to [example](https://stackoverflow.com/questions/12092457/how-to-check-if-x509certificate-is-ca-certificate) I have mentioned, The Basic constraints path length is set as 'NONE' in my certificates which is being tested using JAVA [API](https://docs.oracle.com/javase/6/docs/api/java/security/cert/X509Certificate.html#getBasicConstraints) – jayx Apr 11 '19 at 07:47