CAcert Code Development list.

[David McIlwraith <archaios AT cacert.org>]

Hi,

Let me clarify, from the svn repository:

README ->
"The directory ssl contains the openssl configuration files used by the 
signer.pl
software running on the CAcert signing server. The data shown here was 
accurate
on December 10, 2010 and should be kept up-to-date (in sync with the 
deployed
signing server) from now on. The target directory for this data is 
/etc/ssl."

class3-client.cnf:keyUsage = nonRepudiation, digitalSignature, 
keyEncipherment
class3-client-codesign.cnf:keyUsage = nonRepudiation, digitalSignature, 
keyEncipherment

openssl-client.cnf:keyUsage = nonRepudiation, digitalSignature, 
keyEncipherment
openssl-client-codesign.cnf:keyUsage = nonRepudiation, digitalSignature, 
keyEncipherment

In both cases, the keyUsage attribute is specified but does not appear 
to be used at all. According to the README, the svn repo. is reflective 
of the .cnf files used on the signing server. Unless I am completely 
mistaken, 'openssl x509 -in <file> -noout -text' does not show any sort 
of keyUsage attribute -- only extendedKeyUsage. I am attempting to 
reproduce this locally with a private CA for which I have an IANA 
assigned OID analogous to CAcert.

Kind regards,
- David McIlwraith 
<archaios AT cacert.org>

On 25/07/12 20:34, David McIlwraith wrote:
> Hi Michael,
>
> On 25/07/12 20:19, Michael Tänzer wrote:
> > Hi David,
> >
> > On 25.07.2012 05:58, David McIlwraith wrote:
> > > It appears that order should not matter; it is strange that it was being
> > > 'ignored' in any sense (judging from my brief analysis). The missing
> > > 'crlDistributionPoints' was obviously an issue (non-compliance w/ both
> > > CPS and board resolution changing it), but I cannot exactly see why,
> > > apart from the case of DH (added keyNegotiation), that it should be
> > > ignored by OpenSSL entirely. It is indeed missing in the certs issued; I
> > > can see that myself.
> > >
> > >          X509v3 extensions:
> > >              X509v3 Basic Constraints: critical
> > >                  CA:FALSE
> > >              Netscape Comment:
> > >                  To get your own certificate for FREE head over to
> > > http://www.CAcert.org
> > >              X509v3 Extended Key Usage:
> > >                  E-mail Protection, TLS Web Client Authentication,
> > > Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape
> > > Server Gated Crypto
> > >              Authority Information Access:
> > >                  OCSP - URI:http://ocsp.cacert.org
> > >
> > >              X509v3 Subject Alternative Name:
> > >                  
> > > email:archaios AT cacert.org
> >
> >
> > This is on the test server or on the live system? On the live system the
> > KeyUsage is not deployed yet.
>
> Live system. I know it's not deployed yet. What I meant was that the
> patch submitted changes the _order_ of the keyUsage line -- there's no
> (basic) keyUsage at ALL specified on any certs as it stands (only
> extendedKeyUsage), which means it appears to be ignoring keyUsage
> entirely when generating them. As for the root certs, I filed a separate
> bug concerning those; they should only have certSigning and cRLSigning
> as keyUsage attributes (when they are to be replaced, in any case).
>
> Regards,
> - David McIlwraith 
> <archaios AT cacert.org>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature