[gnutls-devel] GnuTLS | certtool automatically applies "digital signature" usage flag for EdDSA and other certificates (#1227)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu May 6 00:31:45 CEST 2021

Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1227

the relevant bits of `generate_certificate()` in `src/certtool.c` say:

		if (!ca_status || server) {
			if (pk == GNUTLS_PK_RSA ||
			    pk == GNUTLS_PK_GOST_01 ||
			    pk == GNUTLS_PK_GOST_12_256 ||
			    pk == GNUTLS_PK_GOST_12_512)  {	/* DSA and ECDSA keys can only sign. */
				result = get_sign_status(server);
				if (result)
					usage |=

				result = get_encrypt_status(server);
				if (result)
					usage |=
			} else {

This suggests that as long as the generated certificate is not a CA, and it is not one of the selected algorithms, it *must* have the "digital signature" flag set in its usage field.

But [rfc 8410](https://www.rfc-editor.org/rfc/rfc8410#section-5) suggests, for example, that an end-entity certificate using Ed25519 with only the "non-repudiation" usage set should be acceptable.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1227
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210505/f692782c/attachment.html>

More information about the Gnutls-devel mailing list