[gnutls-devel] GnuTLS | certtool automatically applies "digital signature" usage flag for EdDSA and other certificates (#1227)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu May 6 00:31:45 CEST 2021
Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1227
the relevant bits of `generate_certificate()` in `src/certtool.c` say:
```c
if (!ca_status || server) {
if (pk == GNUTLS_PK_RSA ||
pk == GNUTLS_PK_GOST_01 ||
pk == GNUTLS_PK_GOST_12_256 ||
pk == GNUTLS_PK_GOST_12_512) { /* DSA and ECDSA keys can only sign. */
result = get_sign_status(server);
if (result)
usage |=
GNUTLS_KEY_DIGITAL_SIGNATURE;
result = get_encrypt_status(server);
if (result)
usage |=
GNUTLS_KEY_KEY_ENCIPHERMENT;
} else {
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
}
```
This suggests that as long as the generated certificate is not a CA, and it is not one of the selected algorithms, it *must* have the "digital signature" flag set in its usage field.
But [rfc 8410](https://www.rfc-editor.org/rfc/rfc8410#section-5) suggests, for example, that an end-entity certificate using Ed25519 with only the "non-repudiation" usage set should be acceptable.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1227
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210505/f692782c/attachment.html>
More information about the Gnutls-devel
mailing list