Skip to Content.
Sympa Menu

cacert-devel - Re: Patch request: Bug #540

Subject: CAcert Code Development list.

List archive

Re: Patch request: Bug #540

Chronological Thread 
  • From: David McIlwraith <archaios AT>
  • To: Michael Tänzer <michael.taenzer AT>
  • Cc: cacert-devel AT
  • Subject: Re: Patch request: Bug #540
  • Date: Wed, 25 Jul 2012 20:46:03 +1000


Let me clarify, from the svn repository:

"The directory ssl contains the openssl configuration files used by the
software running on the CAcert signing server. The data shown here was accurate
on December 10, 2010 and should be kept up-to-date (in sync with the deployed
signing server) from now on. The target directory for this data is /etc/ssl."

class3-client.cnf:keyUsage = nonRepudiation, digitalSignature, keyEncipherment
class3-client-codesign.cnf:keyUsage = nonRepudiation, digitalSignature, keyEncipherment

openssl-client.cnf:keyUsage = nonRepudiation, digitalSignature, keyEncipherment
openssl-client-codesign.cnf:keyUsage = nonRepudiation, digitalSignature, keyEncipherment

In both cases, the keyUsage attribute is specified but does not appear to be used at all. According to the README, the svn repo. is reflective of the .cnf files used on the signing server. Unless I am completely mistaken, 'openssl x509 -in <file> -noout -text' does not show any sort of keyUsage attribute -- only extendedKeyUsage. I am attempting to reproduce this locally with a private CA for which I have an IANA assigned OID analogous to CAcert.

Kind regards,
- David McIlwraith 
<archaios AT>

On 25/07/12 20:34, David McIlwraith wrote:
Hi Michael,

On 25/07/12 20:19, Michael Tänzer wrote:
Hi David,

On 25.07.2012 05:58, David McIlwraith wrote:
It appears that order should not matter; it is strange that it was being
'ignored' in any sense (judging from my brief analysis). The missing
'crlDistributionPoints' was obviously an issue (non-compliance w/ both
CPS and board resolution changing it), but I cannot exactly see why,
apart from the case of DH (added keyNegotiation), that it should be
ignored by OpenSSL entirely. It is indeed missing in the certs issued; I
can see that myself.

         X509v3 extensions:
             X509v3 Basic Constraints: critical
             Netscape Comment:
                 To get your own certificate for FREE head over to
             X509v3 Extended Key Usage:
                 E-mail Protection, TLS Web Client Authentication,
Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape
Server Gated Crypto
             Authority Information Access:
                 OCSP - URI:

             X509v3 Subject Alternative Name:
email:archaios AT

This is on the test server or on the live system? On the live system the
KeyUsage is not deployed yet.

Live system. I know it's not deployed yet. What I meant was that the
patch submitted changes the _order_ of the keyUsage line -- there's no
(basic) keyUsage at ALL specified on any certs as it stands (only
extendedKeyUsage), which means it appears to be ignoring keyUsage
entirely when generating them. As for the root certs, I filed a separate
bug concerning those; they should only have certSigning and cRLSigning
as keyUsage attributes (when they are to be replaced, in any case).

- David McIlwraith 
<archaios AT>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Archive powered by MHonArc 2.6.16.

Top of Page