[gnutls-devel] GnuTLS | GnuTLS accepted certificate with wrong value for Keyusage extension (#1673)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Mar 3 13:23:10 CET 2025 


dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1673



## Description of problem:
GnuTLS accepted certificate with wrong value for Keyusage extension.WolfSSL believes that the key usage value of the certificate is wrong.

The key usage value is: cRLSign, keyAgreement, decipherOnly, nonRepudiation, dataEncipherment, keyCertSign (critical=True).

According to RFC5280 (section 4.2.1.3), the keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (Section 4.2.1.9) MUST also be asserted.

## Version of gnutls used:
gnutls-cli 3.8.9

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu

## How reproducible:

Steps to Reproduce:

 * one certtool --verify --load-ca-certificate RootCA.pem --infile Cert17408145466.pem [Cert17408145466.pem](/uploads/93373540eb7d0a1eeaf9438fae97d70f/Cert17408145466.pem)

[RootCA.pem](/uploads/15249761053afba0f63a86587f3db6e5/RootCA.pem)


## Actual results:

```
Loaded CAs (1 available)
Setting log level to 10
	Subject: CN=www.mycompany1.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Issuer: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Checked against: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Signature algorithm: RSA-SHA256
	Output: Verified. The certificate is trusted. 
Chain verification output: Verified. The certificate is trusted.
``` 

## Expected results:
Not verified. The certificate is NOT trusted.
WolfSSL:wolfSSL_CertManagerVerify failed with return code -226 and error message Key Usage value error

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1673
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250303/4186560f/attachment-0001.html>

More information about the Gnutls-devel mailing list