Hello!
I have a certificate, which is supposed to be used for s/mime signatures and
tls-client authentication:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 157 (0x9d)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Foo
Validity
Not Before: Nov 27 10:19:53 2012 GMT
Not After : Nov 27 10:19:53 2013 GMT
Subject: C=AT, CN=Bar
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:cd:bc:91:65:7c:bf:74:75:c4:6f:56:9c:1c:09:
12:b8:84:69:c0:47:23:7f:dd:0d:f2:57:5c:6c:ac:
ca:b6:0c:63:cf:cf:9d:9d:10:21:14:22:25:4c:9e:
c9:0d:0e:e2:a3:57:3e:5d:b2:f6:43:4d:07:04:35:
a9:67:86:fb:af
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
0D:99:E2:0E:A6:DF:72:9A:A2:3E:9B:DD:14:A7:66:74:C5:50:24:30
X509v3 Extended Key Usage: critical
TLS Web Client Authentication, E-mail Protection, Microsoft
Encrypted File System
Signature Algorithm: sha1WithRSAEncryption
cd:6a:dc:9b:71:7e:98:e5:2f:ef:d4:3f:33:f2:0b:13:3b:ad:
6c:48:88:7b:8a:db:4f:73:ba:25:4e:ab:90:07:df:3b:82:d0:
88:44:dd:e4:c4:31:44:92:bf:74:4a:b0:34:1f:3f:79:9d:d3:
c8:c1:66:7b:bb:c4:65:ed:c6:39
-----BEGIN CERTIFICATE-----
MIIBeDCCASKgAwIBAgICAJ0wDQYJKoZIhvcNAQEFBQAwDjEMMAoGA1UEAwwDRm9v
MB4XDTEyMTEyNzEwMTk1M1oXDTEzMTEyNzEwMTk1M1owGzELMAkGA1UEBhMCQVQx
DDAKBgNVBAMTA0JhcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDNvJFlfL90dcRv
VpwcCRK4hGnARyN/3Q3yV1xsrMq2DGPPz52dECEUIiVMnskNDuKjVz5dsvZDTQcE
NalnhvuvAgMBAAGjXTBbMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFA2Z4g6m33Ka
oj6b3RSnZnTFUCQwMCwGA1UdJQEB/wQiMCAGCCsGAQUFBwMCBggrBgEFBQcDBAYK
KwYBBAGCNwoDBDANBgkqhkiG9w0BAQUFAANBAM1q3JtxfpjlL+/UPzPyCxM7rWxI
iHuK209zuiVOq5AH3zuC0IhE3eTEMUSSv3RKsDQfP3md08jBZnu7xGXtxjk=
-----END CERTIFICATE-----
The strange thing is the following command's output:
gast@off:/tmp> openssl x509 -noout -purpose -in test.cer
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
I have multiple issues with that:
* It appears, as if openssl (1.0.1c, to be precise) believes that this
certificate is a CA certificate, even tough it isn't
* That the certificate is considered fine for CRL signing is consistent with
the
manpage of x509, but not with the extended key usage (and thus with RFC5280)
* The 'yes' on "Any Purpose" means, I assume, that the extended key usage is
ignored completely (which would also explain the point above)
I assume that those are bugs, or am I missing something?
cheers
Mat
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
