On Wed, 30 Mar 2005, Nikos Mavrogiannopoulos wrote:
From my understanding of x509 keys, this means that the certificate is used in a way which does not correspond with the allowed usage cases.Correct. Gnutls checks the key usage X.509 certificate extension. That is, for example, if the RSA key is marked encrypt only, you cannot use the DHE_RSA algorithm that requires signing.
Which extension exactly is checked? key usage and extended key usage?
Okay. certtool seems to have some problems recognizing some extensions as only numbers are shown and to have some problems with the DER parsing.Use the output of certtool or the -text output of openssl x509. Try ./certtool -i <server.crt
But one of the recognized key purpose seems okay to me: TLS WWW Server.
Besides the fact that this should be valid for all kind of TLS servers, it looks okay to me.
Additionally the key usage "Key encipherment" should be okay as well, that is if I understand the different usages correctly.
### snip ### [EMAIL PROTECTED] /root]# certtool -i < /tmp/server.crt
X.509 certificate info:
Version: 3
Serial Number (hex): 1c
Subject: C=DE,ST= ,L=Boeblingen,O=Bawue.Net e.V.,CN=ca.bawue.net
Issuer: C=DE,L=Boeblingen,O=Bawue.Net e.V.,OU=Bawue.Net CA,CN=Bawue.Net ServerCerts CA
Signature Algorithm: RSA-SHA
Validity:
Not Before: Fri Mar 11 19:03:00 2005
Not After: Fri Feb 9 19:03:00 2007
Subject Public Key Info:
Public Key Algorithm: RSA (1024 bits)
X.509 Extensions:
CRL Distribution points:
URI: http://ca.bawue.net/cgi-bin/get-cert.py/ServerCerts/crl.crl
Key usage:
Key encipherment.
Key purpose OIDs:
TLS WWW Server.
2.16.840.1.113730.4.1
1.3.6.1.4.1.311.10.3.3
Subject Key ID:
a2 49 c1 d9 36 1f 0b 24 10 a0 d3 74 a7 90 99 5a 81 ef 08 ac
Error getting authority key id: ASN1 parser: Error in DER parsing.
2.16.840.1.113730.1.13:
DER Data: 162d54686973206365727469666963617465206973207573656420666f722053534c2053657276657243657274732e
2.16.840.1.113730.1.2:
DER Data: 161568747470733a2f2f63612e62617775652e6e65742f
2.16.840.1.113730.1.4:
DER Data: 16276367692d62696e2f6765742d636572742e70792f53657276657243657274732f63726c2e63726c
2.16.840.1.113730.1.3:
DER Data: 16246367692d62696e2f6e732d636865636b2d7265762e70792f53657276657243657274733f
2.16.840.1.113730.1.7:
DER Data: 16226367692d62696e2f6e732d72656e6577616c2e70792f53657276657243657274733f
2.16.840.1.113730.1.8:
DER Data: 162b42617775652e4e65742d43412f706f6c6963792f53657276657243657274732d706f6c6963792e68746d6c
2.16.840.1.113730.1.1:
DER Data: 03020640
Other information:
Fingerprint: 68 6e 87 46 1b 7f c9 52 5f b7 5e 21 6d 14 b4 25
Public Key ID: e1 ee 9e fd 2c 71 fc e3 83 3c fa 6f 46 52 5e 1d 4b c2 37 42
-----BEGIN CERTIFICATE----- MIIE4zCCBEygAwIBAgIBHDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJERTET MBEGA1UEBxMKQm9lYmxpbmdlbjEXMBUGA1UEChMOQmF3dWUuTmV0IGUuVi4xFTAT BgNVBAsTDEJhd3VlLk5ldCBDQTEhMB8GA1UEAxMYQmF3dWUuTmV0IFNlcnZlckNl cnRzIENBMB4XDTA1MDMxMTE4MDM0NloXDTA3MDIwOTE4MDM0NlowXjELMAkGA1UE BhMCREUxCjAIBgNVBAgTASAxEzARBgNVBAcTCkJvZWJsaW5nZW4xFzAVBgNVBAoT DkJhd3VlLk5ldCBlLlYuMRUwEwYDVQQDEwxjYS5iYXd1ZS5uZXQwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBALwzFRbWttiE8JIL2KcgyfOJAUlyTbXg/5RlGgFp aXLQHRi4g5gK+c5iz32NgZp82kWP0tFBDagi3jSZXj0MHD1JBV3iwnNlhBKQiWFW UR5u7XLt6ggOBZLseW1P3jiSg2XG02LLJeKAyFInjc+kITlF58a0acotn7G7zOGM +iGjAgMBAAGjggKYMIIClDAdBgNVHQ4EFgQUoknB2TYfCyQQoNN0p5CZWoHvCKww gZgGA1UdIwSBkDCBjYAU0hR5ci6rLzZlgGqDip3w+eBcnxShcqRwMG4xCzAJBgNV BAYTAkRFMRMwEQYDVQQHEwpCb2VibGluZ2VuMRcwFQYDVQQKEw5CYXd1ZS5OZXQg ZS5WLjEVMBMGA1UECxMMQmF3dWUuTmV0IENBMRowGAYDVQQDExFCYXd1ZS5OZXQg Um9vdCBDQYIBBDBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY2EuYmF3dWUubmV0 L2NnaS1iaW4vZ2V0LWNlcnQucHkvU2VydmVyQ2VydHMvY3JsLmNybDALBgNVHQ8E BAMCBSAwKgYDVR0lBCMwIQYIKwYBBQUHAwEGCWCGSAGG+EIEAQYKKwYBBAGCNwoD AzA8BglghkgBhvhCAQ0ELxYtVGhpcyBjZXJ0aWZpY2F0ZSBpcyB1c2VkIGZvciBT U0wgU2VydmVyQ2VydHMuMCQGCWCGSAGG+EIBAgQXFhVodHRwczovL2NhLmJhd3Vl Lm5ldC8wNgYJYIZIAYb4QgEEBCkWJ2NnaS1iaW4vZ2V0LWNlcnQucHkvU2VydmVy Q2VydHMvY3JsLmNybDAzBglghkgBhvhCAQMEJhYkY2dpLWJpbi9ucy1jaGVjay1y ZXYucHkvU2VydmVyQ2VydHM/MDEGCWCGSAGG+EIBBwQkFiJjZ2ktYmluL25zLXJl bmV3YWwucHkvU2VydmVyQ2VydHM/MDoGCWCGSAGG+EIBCAQtFitCYXd1ZS5OZXQt Q0EvcG9saWN5L1NlcnZlckNlcnRzLXBvbGljeS5odG1sMBEGCWCGSAGG+EIBAQQE AwIGQDANBgkqhkiG9w0BAQUFAAOBgQBCqiKTxj2cDDF/uUSBInYsOBbF9qinktRF zZHQAcjtfB/N0Y/Qt4+FhZoASsiSPULRuNJ6G4USZJj5J4LI3eEW0zVGj5Cvr/pc vRrQO0VkWGilS0x8HHw+mg4gZKVETYpVCKMEjXk8iOByoAFlT/Bi0stHwVEyKgYP ekvsmy8bDQ== -----END CERTIFICATE-----
Just for completeness, here is the openssl output, which looks similiar. The only difference is that the two additional OIDs are recognized as the netscape and microsoft ones.
### snip ###
[EMAIL PROTECTED] /root]# openssl x509 -in /tmp/server.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 28 (0x1c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, L=Boeblingen, O=Bawue.Net e.V., OU=Bawue.Net CA, CN=Bawue.Net ServerCerts CA
Validity
Not Before: Mar 11 18:03:46 2005 GMT
Not After : Feb 9 18:03:46 2007 GMT
Subject: C=DE, ST= , L=Boeblingen, O=Bawue.Net e.V., CN=ca.bawue.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bc:33:15:16:d6:b6:d8:84:f0:92:0b:d8:a7:20:
c9:f3:89:01:49:72:4d:b5:e0:ff:94:65:1a:01:69:
69:72:d0:1d:18:b8:83:98:0a:f9:ce:62:cf:7d:8d:
81:9a:7c:da:45:8f:d2:d1:41:0d:a8:22:de:34:99:
5e:3d:0c:1c:3d:49:05:5d:e2:c2:73:65:84:12:90:
89:61:56:51:1e:6e:ed:72:ed:ea:08:0e:05:92:ec:
79:6d:4f:de:38:92:83:65:c6:d3:62:cb:25:e2:80:
c8:52:27:8d:cf:a4:21:39:45:e7:c6:b4:69:ca:2d:
9f:b1:bb:cc:e1:8c:fa:21:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A2:49:C1:D9:36:1F:0B:24:10:A0:D3:74:A7:90:99:5A:81:EF:08:AC
X509v3 Authority Key Identifier:
keyid:D2:14:79:72:2E:AB:2F:36:65:80:6A:83:8A:9D:F0:F9:E0:5C:9F:14
DirName:/C=DE/L=Boeblingen/O=Bawue.Net e.V./OU=Bawue.Net CA/CN=Bawue.Net Root CA
serial:04
X509v3 CRL Distribution Points:
URI:http://ca.bawue.net/cgi-bin/get-cert.py/ServerCerts/crl.crl
X509v3 Key Usage:
Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
Netscape Comment:
This certificate is used for SSL ServerCerts.
Netscape Base Url:
https://ca.bawue.net/
Netscape CA Revocation Url:
cgi-bin/get-cert.py/ServerCerts/crl.crl
Netscape Revocation Url:
cgi-bin/ns-check-rev.py/ServerCerts?
Netscape Renewal Url:
cgi-bin/ns-renewal.py/ServerCerts?
Netscape CA Policy Url:
Bawue.Net-CA/policy/ServerCerts-policy.html
Netscape Cert Type:
SSL Server
Signature Algorithm: sha1WithRSAEncryption
42:aa:22:93:c6:3d:9c:0c:31:7f:b9:44:81:22:76:2c:38:16:
c5:f6:a8:a7:92:d4:45:cd:91:d0:01:c8:ed:7c:1f:cd:d1:8f:
d0:b7:8f:85:85:9a:00:4a:c8:92:3d:42:d1:b8:d2:7a:1b:85:
12:64:98:f9:27:82:c8:dd:e1:16:d3:35:46:8f:90:af:af:fa:
5c:bd:1a:d0:3b:45:64:58:68:a5:4b:4c:7c:1c:7c:3e:9a:0e:
20:64:a5:44:4d:8a:55:08:a3:04:8d:79:3c:88:e0:72:a0:01:
65:4f:f0:62:d2:cb:47:c1:51:32:2a:06:0f:7a:4b:ec:9b:2f:
1b:0d
gnutls does not check the purpose, but rather the key usage.
_ONLY_ the key usage?
Then I do not understand the problem.
According to http://www.dfn-pca.de/certify/ssl/handbuch/ossl095/ossl095-4.html#s-gebr-keyusage (german stuff about the dfc cert) ssl servers need "key encipherment" set.
This conforms with our openssl configuration which is used for signing the server keys.
From my understanding, everything should work. ;-D
bye, andreas
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
