<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">Certtool does not put keyusage Signing when specified in template, when specifying "ca" in temp

late.</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">3.6.5</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto">Ubuntu (3.6.5-2ubuntu1)</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">root-ca.cfg</p>

<p dir="auto">organization = "Initech"<br>

cn = "Initech Root CA"<br>

expiration_days = 700<br>

ca<br>

cert_signing_key<br>

crl_signing_key</p>

<p dir="auto">ca.cfg</p>

<p dir="auto">organization = "Initech"<br>

cn = "Initech CA"<br>

expiration_days = 350<br>

crl_dist_points = "<a href="http://crl.initech.lan/Initech_Root_CA.crl%22%5C" rel="nofollow noreferrer noopener" target="_blank">http://crl.initech.lan/Initech_Root_CA.crl"\</a>

ca<br>

signing_key<br>

cert_signing_key<br>

crl_signing_key<br>

path_len = 0</p>

<p dir="auto">certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem<br>

certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem<br>

certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem<br>

certtool --generate-request --load-privkey Initech_CA-key.pem --template ca.cfg --outfile Initech_CA-csr.pem<br>

certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template ca.cfg --outfile Initech_CA-cert.pem</p>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<p dir="auto">Keyusage "Signing" is not in subsidiary CA, even when specified in template. The code only allows this when the certificate is NOT a CA or it is a server certificate.<br>

Subsidiary CA's should have the keyusage "Signing".</p>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">Keyusage "Signing" should be in certificate of the subsidiary CA.</p>

<h2 dir="auto">

<a id="user-content-proposed-fix" class="anchor" href="#proposed-fix" aria-hidden="true"></a>Proposed fix:</h2>

<p dir="auto">Add a new option called "subca".</p>

<p dir="auto">Allow option subca to add GNUTLS_KEY_DIGITAL_SIGNATURE. (Line 554)</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/767">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/73418c4f6bbc11ec77026c368322b72b/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/767"}}</script>

</p>

</div>

</body>

</html>