gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root
Werner Koch
wk at gnupg.org
Fri Apr 3 14:34:26 CEST 2009
On Thu, 2 Apr 2009 14:28, bernhard at intevation.de said:
> Something is wrong with
> CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
> Corporation,C=US,serial#: 01A5
> http://www.telesec.de/service/GTE-CyberTrust-Global-Root.der
In libksba/tests you find a useful tool for such cases:
$ ./cert-basic GTE-CyberTrust-Global-Root.der
Certificate in `GTE-CyberTrust-Global-Root.der':
serial....: (#01A5# )
issuer....: `CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US'
subject...: `CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US'
notBefore.: 1998-08-13 00:29:00
notAfter..: 2018-08-13 23:59:00
hash algo.: 1.2.840.113549.1.1.4 (md5withRSAEncryption)
cert-basic.c:285: enumerating extensions failed: No value
SubjectKeyIdentifier: none
AuthorityKeyIdentifier: none
cert-basic.c:343: ksba_cert_is_ca failed: No value
KeyUsage: Not specified
ExtKeyUsages: none
CertificatePolicies: none
cert-basic.c:453: ksba_cert_get_crl_dist_point failed: No value
cert-basic.c:472: ksba_cert_get_authority_info_access failed: No value
cert-basic.c:491: ksba_cert_get_subject_info_access failed: No value
"ksba_cert_is_ca failed" is the problem with that certificate. It is a
root certificate but it does not say so in its signedAttributes. Hmmm,
there are no signed attributes at all.
BTW, I consider this a feature of GnuPG: Wouldyou really trust a CA
which issues a root certificate valid for 20 years? That was even
ridiculous back in 1998. The use of MD5 was kind of justified 11 years
ago.
Don't spend any more time on this, you better use plaintext than GTE
Cybertrust "secured" encryption.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-devel
mailing list