<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #666;">

<a href="https://gitlab.com/thka">Thomas Karlsson</a> created an issue <a href="https://gitlab.com/gnutls/gnutls/-/issues/1126">#1126</a>:

</p>

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">When signing a CSR, the CDP is copied from the signing CA's CDP. The CDP should be specified, if needed, in the template.

Copying of the signing CA's CDP is most of the time wrong, unless (which doesn't make sense) a CDP exists in the Root CA's certificate.</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">The latest checkout on branch master</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">Steps to Reproduce:</p>

<p dir="auto"><em>root-ca.cfg</em></p>

<p dir="auto">organization = "Initech"<br>

cn = "Initech Root CA"<br>

expiration_days = 700<br>

ca<br>

cert_signing_key<br>

crl_signing_key</p>

<p dir="auto"><em>issuing-ca.cfg</em></p>

<p dir="auto">organization = "Initech"<br>

cn = "Initech CA"<br>

expiration_days = 350<br>

crl_dist_points = "<a href="http://crl.initech.lan/Initech_Root_CA.crl" rel="nofollow noreferrer noopener" target="_blank">http://crl.initech.lan/Initech_Root_CA.crl</a>" <br>

ca<br>

signing_key<br>

cert_signing_key<br>

crl_signing_key<br>

path_len = 0</p>

<p dir="auto"><em>servercert.cfg</em></p>

<p dir="auto">organization = "Initech"<br>

cn = "test.example.com"<br>

expiration_days = 350<br>

crl_dist_points = "<a href="http://crl.initech.lan/Initech_CA.crl" rel="nofollow noreferrer noopener" target="_blank">http://crl.initech.lan/Initech_CA.crl</a>" <br>

tls_www_server<br>

key_agreement<br>

data_encipherment</p>

<p dir="auto">certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem<br>

certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem<br>

certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem<br>

certtool --generate-request --load-privkey Initech_CA-key.pem --template issuing-ca.cfg --outfile Initech_CA-csr.pem<br>

certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template issuing-ca.cfg --outfile Initech_CA-cert.pem<br>

certtool --generate-privkey --sec-param medium --outfile test.initech.lan-key.pem<br>

certtool --generate-request --load-privkey test.initech.lan-key.pem --template servercert.cfg --outfile test.initech.lan-csr.pem<br>

certtool --generate-certificate --load-ca-privkey Initech_CA-key.pem --load-ca-certificate Initech_CA-cert.pem --load-request test.initech.lan-csr.pem --template servercert.cfg --outfile test.initech.lan-cert.pem</p>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<p dir="auto">CDP in server certificate points to Root CA's CRL</p>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">CDP in server certificate points to the Issuing CA's specified CDP.</p>

<h2 dir="auto">

<a id="user-content-proposed-fix" class="anchor" href="#proposed-fix" aria-hidden="true"></a>Proposed fix</h2>

<code>

--- certtool.c.org      2020-11-26 23:16:24.415557527 +0100

+++ certtool.c  2020-11-26 23:19:09.234423551 +0100

@@ -781,10 +781,8 @@

        /* always set CRL distribution points on CAs, but also on certificates

         * generated with --generate-self-signed. The latter is to retain

         * compatibility with previous versions of certtool. */

-       if (ca_status || (!proxy && ca_crt == NULL)) {

+       if (ca_status || (!proxy)) {

                get_crl_dist_point_set(crt);

-       } else if (!proxy && ca_crt != NULL) {

-               gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt);

        }

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">*ret_key = key;</span></code></pre>

</code>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1126">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/a498031960ca3b0aea203df21c55b2ce/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1126"}}</script>

</p>

</div>

</body>

</html>