[gnutls-devel] GnuTLS | Certtool doesn't add CDP from the template (#765)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue May 14 21:26:18 CEST 2019 


New Issue was created.

Issue 765: https://gitlab.com/gnutls/gnutls/issues/765
Author:    Thomas Karlsson
Assignees: 

## Description of problem:
CRL Distribution Point is not written to signed certificate, when specified in template. 

## Version of gnutls used:
3.6.5

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu (3.6.5-2ubuntu1)

## How reproducible:
root-ca.cfg

`organization = "Initech"
cn = "Initech Root CA"
expiration_days = 700
ca
cert_signing_key
crl_signing_key
`

ca.cfg

`organization = "Initech"
cn = "Initech CA"
expiration_days = 350
crl_dist_points = "http://crl.initech.lan/Initech_Root_CA.crl"
ca
signing_key
cert_signing_key
crl_signing_key
path_len = 0
`

`certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem
certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem
certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem
certtool --generate-request --load-privkey Initech_CA-key.pem --template ca.cfg --outfile Initech_CA-csr.pem
certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template ca.cfg --outfile Initech_CA-cert.pem
`

## Actual results:
No CDP in subsidiary CA. The code doesn't honor the CDP in template. It only tries to copy CDP from the signing CA. It doesn't make sense to copy CDP from signing CA. The CDP is different for the CA and a signed certificate.

## Expected results:
At least a CDP in certificate and preferrably only the ones in the template.

## Proposed fix:
In certtool.c
Remove gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt);
Add get_crl_dist_point_set(crt)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/765
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190514/9bc4b6b2/attachment-0001.html>

More information about the Gnutls-devel mailing list