Globus: GSI v2.0: X509 Certificate Critical Extension Handling

Currently, as of the 2.0 release of the GSI, only the following critical extensions are handled:

subject_key_identifier
authority_key_identifier
basic_constraints
key_usage
ext_key_usage
netscape_cert_type

Note that these extensions are actually handled by the underlying OpenSSL code and not the GSI libraries themselves.

In 1.1.x releases of the GSI, critical extensions other than the ones listed above were ignored.

Starting with 2.0, if an unrecognized critical extension was found, the code returns an error.

The one action that the GSI libraries do take in regards to critical extensions is in regards to the keyCertSign bit in the keyUsage extension. If, when checking a proxy certificate, the OpenSSL code returns an error because the signing user certificate has the keyCertSign bit set to false, the GSI library will cause this error to be ignored.