[gnutls-devel] GnuTLS | Certtool doesn't allow keyusage Digital signature in CA certificates (#767)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue May 14 22:23:07 CEST 2019



New Issue was created.

Issue 767: https://gitlab.com/gnutls/gnutls/issues/767
Author:    Thomas Karlsson
Assignees: 

## Description of problem:
Certtool does not put keyusage Signing when specified in template, when specifying "ca" in temp
late.

## Version of gnutls used:
3.6.5

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu (3.6.5-2ubuntu1)

## How reproducible:
root-ca.cfg

organization = "Initech"\
cn = "Initech Root CA"\
expiration_days = 700\
ca\
cert_signing_key\
crl_signing_key

ca.cfg

organization = "Initech"\
cn = "Initech CA"\
expiration_days = 350\
crl_dist_points = "http://crl.initech.lan/Initech_Root_CA.crl"\
ca\
signing_key\
cert_signing_key\
crl_signing_key\
path_len = 0


certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem\
certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem\
certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem\
certtool --generate-request --load-privkey Initech_CA-key.pem --template ca.cfg --outfile Initech_CA-csr.pem\
certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template ca.cfg --outfile Initech_CA-cert.pem


## Actual results:
Keyusage "Signing" is not in subsidiary CA, even when specified in template. The code only allows this when the certificate is NOT a CA or it is a server certificate.\
Subsidiary CA's should have the keyusage "Signing".

## Expected results:
Keyusage "Signing" should be in certificate of the subsidiary CA.

## Proposed fix:
Add a new option called "subca".

Allow option subca to add GNUTLS_KEY_DIGITAL_SIGNATURE. (Line 554)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/767
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190514/7c043283/attachment.html>


More information about the Gnutls-devel mailing list