[Help-gnutls] Problems with Key usage violation
Andreas Thienemann
andreas at dicp.ghb.fh-furtwangen.de
Wed Mar 30 20:01:19 CEST 2005
On Wed, 30 Mar 2005, Nikos Mavrogiannopoulos wrote:
>> From my understanding of x509 keys, this means that the certificate is
>> used in a way which does not correspond with the allowed usage cases.
> Correct. Gnutls checks the key usage X.509 certificate extension.
> That is, for example, if the RSA key is marked encrypt only, you cannot use
> the DHE_RSA algorithm that requires signing.
Which extension exactly is checked?
key usage and extended key usage?
> Use the output of certtool or the -text output of openssl x509. Try
> ./certtool -i <server.crt
Okay. certtool seems to have some problems recognizing some extensions as
only numbers are shown and to have some problems with the DER parsing.
But one of the recognized key purpose seems okay to me: TLS WWW Server.
Besides the fact that this should be valid for all kind of TLS servers, it
looks okay to me.
Additionally the key usage "Key encipherment" should be okay as well, that
is if I understand the different usages correctly.
### snip ###
[root at bla /root]# certtool -i < /tmp/server.crt
X.509 certificate info:
Version: 3
Serial Number (hex): 1c
Subject: C=DE,ST= ,L=Boeblingen,O=Bawue.Net e.V.,CN=ca.bawue.net
Issuer: C=DE,L=Boeblingen,O=Bawue.Net e.V.,OU=Bawue.Net CA,CN=Bawue.Net
ServerCerts CA
Signature Algorithm: RSA-SHA
Validity:
Not Before: Fri Mar 11 19:03:00 2005
Not After: Fri Feb 9 19:03:00 2007
Subject Public Key Info:
Public Key Algorithm: RSA (1024 bits)
X.509 Extensions:
CRL Distribution points:
URI:
http://ca.bawue.net/cgi-bin/get-cert.py/ServerCerts/crl.crl
Key usage:
Key encipherment.
Key purpose OIDs:
TLS WWW Server.
2.16.840.1.113730.4.1
1.3.6.1.4.1.311.10.3.3
Subject Key ID:
a2 49 c1 d9 36 1f 0b 24 10 a0 d3 74 a7 90 99 5a 81 ef 08
ac
Error getting authority key id: ASN1 parser: Error in DER parsing.
2.16.840.1.113730.1.13:
DER Data:
162d54686973206365727469666963617465206973207573656420666f722053534c2053657276657243657274732e
2.16.840.1.113730.1.2:
DER Data: 161568747470733a2f2f63612e62617775652e6e65742f
2.16.840.1.113730.1.4:
DER Data:
16276367692d62696e2f6765742d636572742e70792f53657276657243657274732f63726c2e63726c
2.16.840.1.113730.1.3:
DER Data:
16246367692d62696e2f6e732d636865636b2d7265762e70792f53657276657243657274733f
2.16.840.1.113730.1.7:
DER Data:
16226367692d62696e2f6e732d72656e6577616c2e70792f53657276657243657274733f
2.16.840.1.113730.1.8:
DER Data:
162b42617775652e4e65742d43412f706f6c6963792f53657276657243657274732d706f6c6963792e68746d6c
2.16.840.1.113730.1.1:
DER Data: 03020640
Other information:
Fingerprint: 68 6e 87 46 1b 7f c9 52 5f b7 5e 21 6d 14 b4 25
Public Key ID: e1 ee 9e fd 2c 71 fc e3 83 3c fa 6f 46 52 5e 1d 4b
c2 37 42
-----BEGIN CERTIFICATE-----
MIIE4zCCBEygAwIBAgIBHDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJERTET
MBEGA1UEBxMKQm9lYmxpbmdlbjEXMBUGA1UEChMOQmF3dWUuTmV0IGUuVi4xFTAT
BgNVBAsTDEJhd3VlLk5ldCBDQTEhMB8GA1UEAxMYQmF3dWUuTmV0IFNlcnZlckNl
cnRzIENBMB4XDTA1MDMxMTE4MDM0NloXDTA3MDIwOTE4MDM0NlowXjELMAkGA1UE
BhMCREUxCjAIBgNVBAgTASAxEzARBgNVBAcTCkJvZWJsaW5nZW4xFzAVBgNVBAoT
DkJhd3VlLk5ldCBlLlYuMRUwEwYDVQQDEwxjYS5iYXd1ZS5uZXQwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALwzFRbWttiE8JIL2KcgyfOJAUlyTbXg/5RlGgFp
aXLQHRi4g5gK+c5iz32NgZp82kWP0tFBDagi3jSZXj0MHD1JBV3iwnNlhBKQiWFW
UR5u7XLt6ggOBZLseW1P3jiSg2XG02LLJeKAyFInjc+kITlF58a0acotn7G7zOGM
+iGjAgMBAAGjggKYMIIClDAdBgNVHQ4EFgQUoknB2TYfCyQQoNN0p5CZWoHvCKww
gZgGA1UdIwSBkDCBjYAU0hR5ci6rLzZlgGqDip3w+eBcnxShcqRwMG4xCzAJBgNV
BAYTAkRFMRMwEQYDVQQHEwpCb2VibGluZ2VuMRcwFQYDVQQKEw5CYXd1ZS5OZXQg
ZS5WLjEVMBMGA1UECxMMQmF3dWUuTmV0IENBMRowGAYDVQQDExFCYXd1ZS5OZXQg
Um9vdCBDQYIBBDBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY2EuYmF3dWUubmV0
L2NnaS1iaW4vZ2V0LWNlcnQucHkvU2VydmVyQ2VydHMvY3JsLmNybDALBgNVHQ8E
BAMCBSAwKgYDVR0lBCMwIQYIKwYBBQUHAwEGCWCGSAGG+EIEAQYKKwYBBAGCNwoD
AzA8BglghkgBhvhCAQ0ELxYtVGhpcyBjZXJ0aWZpY2F0ZSBpcyB1c2VkIGZvciBT
U0wgU2VydmVyQ2VydHMuMCQGCWCGSAGG+EIBAgQXFhVodHRwczovL2NhLmJhd3Vl
Lm5ldC8wNgYJYIZIAYb4QgEEBCkWJ2NnaS1iaW4vZ2V0LWNlcnQucHkvU2VydmVy
Q2VydHMvY3JsLmNybDAzBglghkgBhvhCAQMEJhYkY2dpLWJpbi9ucy1jaGVjay1y
ZXYucHkvU2VydmVyQ2VydHM/MDEGCWCGSAGG+EIBBwQkFiJjZ2ktYmluL25zLXJl
bmV3YWwucHkvU2VydmVyQ2VydHM/MDoGCWCGSAGG+EIBCAQtFitCYXd1ZS5OZXQt
Q0EvcG9saWN5L1NlcnZlckNlcnRzLXBvbGljeS5odG1sMBEGCWCGSAGG+EIBAQQE
AwIGQDANBgkqhkiG9w0BAQUFAAOBgQBCqiKTxj2cDDF/uUSBInYsOBbF9qinktRF
zZHQAcjtfB/N0Y/Qt4+FhZoASsiSPULRuNJ6G4USZJj5J4LI3eEW0zVGj5Cvr/pc
vRrQO0VkWGilS0x8HHw+mg4gZKVETYpVCKMEjXk8iOByoAFlT/Bi0stHwVEyKgYP
ekvsmy8bDQ==
-----END CERTIFICATE-----
Just for completeness, here is the openssl output, which looks similiar.
The only difference is that the two additional OIDs are recognized as the
netscape and microsoft ones.
### snip ###
[root at bla /root]# openssl x509 -in /tmp/server.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 28 (0x1c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, L=Boeblingen, O=Bawue.Net e.V., OU=Bawue.Net CA,
CN=Bawue.Net ServerCerts CA
Validity
Not Before: Mar 11 18:03:46 2005 GMT
Not After : Feb 9 18:03:46 2007 GMT
Subject: C=DE, ST= , L=Boeblingen, O=Bawue.Net e.V.,
CN=ca.bawue.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bc:33:15:16:d6:b6:d8:84:f0:92:0b:d8:a7:20:
c9:f3:89:01:49:72:4d:b5:e0:ff:94:65:1a:01:69:
69:72:d0:1d:18:b8:83:98:0a:f9:ce:62:cf:7d:8d:
81:9a:7c:da:45:8f:d2:d1:41:0d:a8:22:de:34:99:
5e:3d:0c:1c:3d:49:05:5d:e2:c2:73:65:84:12:90:
89:61:56:51:1e:6e:ed:72:ed:ea:08:0e:05:92:ec:
79:6d:4f:de:38:92:83:65:c6:d3:62:cb:25:e2:80:
c8:52:27:8d:cf:a4:21:39:45:e7:c6:b4:69:ca:2d:
9f:b1:bb:cc:e1:8c:fa:21:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A2:49:C1:D9:36:1F:0B:24:10:A0:D3:74:A7:90:99:5A:81:EF:08:AC
X509v3 Authority Key Identifier:
keyid:D2:14:79:72:2E:AB:2F:36:65:80:6A:83:8A:9D:F0:F9:E0:5C:9F:14
DirName:/C=DE/L=Boeblingen/O=Bawue.Net e.V./OU=Bawue.Net
CA/CN=Bawue.Net Root CA
serial:04
X509v3 CRL Distribution Points:
URI:http://ca.bawue.net/cgi-bin/get-cert.py/ServerCerts/crl.crl
X509v3 Key Usage:
Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, Netscape Server Gated Crypto,
Microsoft Server Gated Crypto
Netscape Comment:
This certificate is used for SSL ServerCerts.
Netscape Base Url:
https://ca.bawue.net/
Netscape CA Revocation Url:
cgi-bin/get-cert.py/ServerCerts/crl.crl
Netscape Revocation Url:
cgi-bin/ns-check-rev.py/ServerCerts?
Netscape Renewal Url:
cgi-bin/ns-renewal.py/ServerCerts?
Netscape CA Policy Url:
Bawue.Net-CA/policy/ServerCerts-policy.html
Netscape Cert Type:
SSL Server
Signature Algorithm: sha1WithRSAEncryption
42:aa:22:93:c6:3d:9c:0c:31:7f:b9:44:81:22:76:2c:38:16:
c5:f6:a8:a7:92:d4:45:cd:91:d0:01:c8:ed:7c:1f:cd:d1:8f:
d0:b7:8f:85:85:9a:00:4a:c8:92:3d:42:d1:b8:d2:7a:1b:85:
12:64:98:f9:27:82:c8:dd:e1:16:d3:35:46:8f:90:af:af:fa:
5c:bd:1a:d0:3b:45:64:58:68:a5:4b:4c:7c:1c:7c:3e:9a:0e:
20:64:a5:44:4d:8a:55:08:a3:04:8d:79:3c:88:e0:72:a0:01:
65:4f:f0:62:d2:cb:47:c1:51:32:2a:06:0f:7a:4b:ec:9b:2f:
1b:0d
> gnutls does not check the purpose, but rather the key usage.
_ONLY_ the key usage?
Then I do not understand the problem.
According to
http://www.dfn-pca.de/certify/ssl/handbuch/ossl095/ossl095-4.html#s-gebr-keyusage
(german stuff about the dfc cert) ssl servers need "key encipherment" set.
This conforms with our openssl configuration which is used for signing the
server keys.
>From my understanding, everything should work. ;-D
bye,
andreas
More information about the Gnutls-help
mailing list