x509 v1 certificate
wk at gnupg.org
Wed Sep 20 14:21:04 CEST 2006
On Tue, 19 Sep 2006 01:32, ARIGA Seiji said:
> hmm. let me ask one more. output below is from "gpgsm -kv". you can see
> "[error: No value]" at "key usage:" and "chain length:" field (which,
> i think, is in x509 extension field that x509 version 1 cert doesn't
> have). isn't this the same error i got when i run "gpgsm --verify" ?
Yes. I have now looked at the certificate. The problematic part in
the chain is the root certificate:
$ gpgsm --dump-cert --with-validation --disable-crl-checks 85:37 [...]
Serial number: 7DD9FE07CFA81EB7107967FBA78934C6
Issuer: OU=VeriSign Trust Network,OU=(c) 1998 VeriSign[...]
Subject: OU=VeriSign Trust Network,OU=(c) 1998 VeriSign[...]
notBefore: 1998-05-18 00:00:00
notAfter: 2028-08-01 23:59:59
hashAlgo: 1.2.840.1135126.96.36.199 (sha1WithRSAEncryption)
keyType: 1024 bit RSA
keyUsage: [error: No value]
chainLength: [error: No value]
[certificate is bad: No value]
As you rightfully noticed, the keyUsage is missing and gpgsm flags
this as an error. However, PKIX (rfc3280) says:
This extension MUST appear in certificates that contain public keys
that are used to validate digital signatures on other public key
certificates or CRLs. When this extension appears, it SHOULD be
Other profiles (e.g. ISIS-MTT) state it even more clear.
The missing basicContraints ("chainLength" above) is another reason
why this certificate is not valid (rfc3280, 188.8.131.52):
This extension MUST appear as a critical extension in all CA
certificates that contain public keys used to validate digital
signatures on certificates. [...]
The question whether version 1 is supported is thus non-relevant
because we are validating certificates. In this case PKIX requires
extensions and following from that version should be 3 as per 184.108.40.206.
The question now is how we can support these root certificates. An
option to bypass the failing checks would be an appropriate way.
However I am reluctant to add a general option to do this.
I am currently investigating how we can completely support qualified
signatures according to the German law. This might require a mechanism
to allow certain exceptions.
More information about the Gnupg-devel