[gnutls-devel] GnuTLS | Certtool doesn't allow keyusage Digital signature in CA certificates (#767)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Tue May 14 22:23:07 CEST 2019
New Issue was created.
Issue 767: https://gitlab.com/gnutls/gnutls/issues/767
Author: Thomas Karlsson
Assignees:
## Description of problem:
Certtool does not put keyusage Signing when specified in template, when specifying "ca" in temp
late.
## Version of gnutls used:
3.6.5
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu (3.6.5-2ubuntu1)
## How reproducible:
root-ca.cfg
organization = "Initech"\
cn = "Initech Root CA"\
expiration_days = 700\
ca\
cert_signing_key\
crl_signing_key
ca.cfg
organization = "Initech"\
cn = "Initech CA"\
expiration_days = 350\
crl_dist_points = "http://crl.initech.lan/Initech_Root_CA.crl"\
ca\
signing_key\
cert_signing_key\
crl_signing_key\
path_len = 0
certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem\
certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem\
certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem\
certtool --generate-request --load-privkey Initech_CA-key.pem --template ca.cfg --outfile Initech_CA-csr.pem\
certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template ca.cfg --outfile Initech_CA-cert.pem
## Actual results:
Keyusage "Signing" is not in subsidiary CA, even when specified in template. The code only allows this when the certificate is NOT a CA or it is a server certificate.\
Subsidiary CA's should have the keyusage "Signing".
## Expected results:
Keyusage "Signing" should be in certificate of the subsidiary CA.
## Proposed fix:
Add a new option called "subca".
Allow option subca to add GNUTLS_KEY_DIGITAL_SIGNATURE. (Line 554)
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/767
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190514/7c043283/attachment.html>
More information about the Gnutls-devel
mailing list