gpgsm OCSP question (key usage checking for response verification)
Daiki Ueno
ueno at unixuser.org
Wed May 17 09:40:04 CEST 2006
Hello,
I have been playing with gpgsm with --enable-ocsp, I got an error
$ gpgsm --sign /dev/null
gpgsm: certificate should have not been used for OCSP response signing
This error was caused by cert_usage_p in gnupg19/sm/certlist.c.
147: if (mode == 5)
148: {
149: if (use != ~0
150: && (have_ocsp_signing
151: || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
152: |KSBA_KEYUSAGE_CRL_SIGN))))
153: return 0;
154: log_info (_("certificate should have not "
155: "been used for OCSP response signing\n"));
156: return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
157: }
I stepped through the execution using GDB, in line 149 use == 0xffffffff
(== ~0) and have_ocsp_signing == 1. Now, my question is, why doesn't it
accept the value ~0 for the variable use? use is corresponding to the
key usage of the given certificate.
I'm testing against the CAcert OCSP responder.
Regards,
--
Daiki Ueno
More information about the Gnupg-devel
mailing list