<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #666;">
<a href="https://gitlab.com/dkg">Daniel Kahn Gillmor</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1227">#1227</a>
</p>
<div></div>
<p dir="auto">the relevant bits of <code>generate_certificate()</code> in <code>src/certtool.c</code> say:</p>
<pre class="code highlight js-syntax-highlight language-c" lang="c" v-pre="true"><code><span id="LC1" class="line" lang="c">              <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">ca_status</span> <span class="o">||</span> <span class="n">server</span><span class="p">)</span> <span class="p">{</span></span>
<span id="LC2" class="line" lang="c">                       <span class="k">if</span> <span class="p">(</span><span class="n">pk</span> <span class="o">==</span> <span class="n">GNUTLS_PK_RSA</span> <span class="o">||</span></span>
<span id="LC3" class="line" lang="c">                           <span class="n">pk</span> <span class="o">==</span> <span class="n">GNUTLS_PK_GOST_01</span> <span class="o">||</span></span>
<span id="LC4" class="line" lang="c">                           <span class="n">pk</span> <span class="o">==</span> <span class="n">GNUTLS_PK_GOST_12_256</span> <span class="o">||</span></span>
<span id="LC5" class="line" lang="c">                           <span class="n">pk</span> <span class="o">==</span> <span class="n">GNUTLS_PK_GOST_12_512</span><span class="p">)</span>  <span class="p">{</span>    <span class="cm">/* DSA and ECDSA keys can only sign. */</span></span>
<span id="LC6" class="line" lang="c">                               <span class="n">result</span> <span class="o">=</span> <span class="n">get_sign_status</span><span class="p">(</span><span class="n">server</span><span class="p">);</span></span>
<span id="LC7" class="line" lang="c">                               <span class="k">if</span> <span class="p">(</span><span class="n">result</span><span class="p">)</span></span>
<span id="LC8" class="line" lang="c">                                       <span class="n">usage</span> <span class="o">|=</span></span>
<span id="LC9" class="line" lang="c">                                           <span class="n">GNUTLS_KEY_DIGITAL_SIGNATURE</span><span class="p">;</span></span>
<span id="LC10" class="line" lang="c"></span>
<span id="LC11" class="line" lang="c">                              <span class="n">result</span> <span class="o">=</span> <span class="n">get_encrypt_status</span><span class="p">(</span><span class="n">server</span><span class="p">);</span></span>
<span id="LC12" class="line" lang="c">                              <span class="k">if</span> <span class="p">(</span><span class="n">result</span><span class="p">)</span></span>
<span id="LC13" class="line" lang="c">                                      <span class="n">usage</span> <span class="o">|=</span></span>
<span id="LC14" class="line" lang="c">                                          <span class="n">GNUTLS_KEY_KEY_ENCIPHERMENT</span><span class="p">;</span></span>
<span id="LC15" class="line" lang="c">                      <span class="p">}</span> <span class="k">else</span> <span class="p">{</span></span>
<span id="LC16" class="line" lang="c">                              <span class="n">usage</span> <span class="o">|=</span> <span class="n">GNUTLS_KEY_DIGITAL_SIGNATURE</span><span class="p">;</span></span>
<span id="LC17" class="line" lang="c">                      <span class="p">}</span></span></code></pre>
<p dir="auto">This suggests that as long as the generated certificate is not a CA, and it is not one of the selected algorithms, it <em>must</em> have the "digital signature" flag set in its usage field.</p>
<p dir="auto">But <a href="https://www.rfc-editor.org/rfc/rfc8410#section-5" rel="nofollow noreferrer noopener" target="_blank">rfc 8410</a> suggests, for example, that an end-entity certificate using Ed25519 with only the "non-repudiation" usage set should be acceptable.</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1227">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/46365419e4be78be77666c6acb0ab462/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1227"}}</script>


</p>
</div>
</body>
</html>