<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">Certtool does not put keyusage Signing when specified in template, when specifying "ca" in temp
late.</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">3.6.5</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">Ubuntu (3.6.5-2ubuntu1)</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">root-ca.cfg</p>
<p dir="auto">organization = "Initech"<br>
cn = "Initech Root CA"<br>
expiration_days = 700<br>
ca<br>
cert_signing_key<br>
crl_signing_key</p>
<p dir="auto">ca.cfg</p>
<p dir="auto">organization = "Initech"<br>
cn = "Initech CA"<br>
expiration_days = 350<br>
crl_dist_points = "<a href="http://crl.initech.lan/Initech_Root_CA.crl%22%5C" rel="nofollow noreferrer noopener" target="_blank">http://crl.initech.lan/Initech_Root_CA.crl"\</a>
ca<br>
signing_key<br>
cert_signing_key<br>
crl_signing_key<br>
path_len = 0</p>
<p dir="auto">certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem<br>
certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem<br>
certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem<br>
certtool --generate-request --load-privkey Initech_CA-key.pem --template ca.cfg --outfile Initech_CA-csr.pem<br>
certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template ca.cfg --outfile Initech_CA-cert.pem</p>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p dir="auto">Keyusage "Signing" is not in subsidiary CA, even when specified in template. The code only allows this when the certificate is NOT a CA or it is a server certificate.<br>
Subsidiary CA's should have the keyusage "Signing".</p>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">Keyusage "Signing" should be in certificate of the subsidiary CA.</p>
<h2 dir="auto">
<a id="user-content-proposed-fix" class="anchor" href="#proposed-fix" aria-hidden="true"></a>Proposed fix:</h2>
<p dir="auto">Add a new option called "subca".</p>
<p dir="auto">Allow option subca to add GNUTLS_KEY_DIGITAL_SIGNATURE. (Line 554)</p>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/767">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/73418c4f6bbc11ec77026c368322b72b/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/767"}}</script>
</p>
</div>
</body>
</html>