[gnutls-devel] Certificate generation with certtool 3.4.8: Missing Key Usage flags
Thomas Klute
thomas2.klute at uni-dortmund.de
Sat Jan 30 01:57:12 CET 2016
Hi everyone,
my attempt to build mod_gnutls with GnuTLS 3.4.8 (Debian unstable)
failed at the testing stage due to certificate validation errors.
Looking at the certificates, I found that certtool didn't set Key Usage
extensions correctly. Details below, and you're welcome to ask if you
need additional information. You can find my development version of the
mod_gnutls test suite code at [1].
The test suite creates a self-signed CA based on this template:
> serial=1
> cn="Testing Authority"
> ca
> cert_signing_key
> crl_signing_key
This CA is then used to create certificates for a number of test
entities. This works just fine with GnuTLS 3.3, but with 3.4.8 I
encountered verification failures like this one when using the certificates:
> Chain verification output: Not verified. The certificate is NOT
> trusted. The certificate chain violates the signer's constraints.
And sure enough, the Key Usage extension in the CA certificate does not
look right. It's empty!
> Extensions:
> Basic Constraints (critical):
> Certificate Authority (CA): TRUE
> Key Usage (critical):
> Subject Key Identifier (not critical):
> be4ec811e688f076e64dd557398be8fee83902de
For comparison, it looks as expected in a CA certificate created with
GnuTLS 3.3.15:
> Extensions:
> Basic Constraints (critical):
> Certificate Authority (CA): TRUE
> Key Usage (critical):
> Certificate signing.
> CRL signing.
> Subject Key Identifier (not critical):
> bc128c22d91b272063e7994bf6d9adccbd2cc877
In the test suite I can work around the bug by not setting any key usage
flags at all, but I still think it should be fixed. ;-)
Regards,
Thomas
[1] https://github.com/airtower-luna/mod_gnutls/tree/master/test
More information about the Gnutls-devel
mailing list