Page MenuHome GnuPG

GPGSM rejects OCSP responder cert without keyUsage
Closed, ResolvedPublic

Description

CACert's OCSP responder signs its OCSP responses with an interesting
certificate, which has an extendedKeyUsage extension permitting OCSP signing
but has no keyUsage extension at all. RFC2560 says absolutely nothing about the
responder certificate requiring a keyUsage extension, it only says that it must
have an extendedKeyUsage extension with the OCSP signing OID in it. But GPGSM,
in certlist.c function cert_usage_p(), requires that (use != ~0) in order to
accept a certificate for an OCSP responder (otherwise it spits out "Certificate
should have not been used for OCSP response signing"), even though the
extendedKeyUsage extension is present and hence sets have_ocsp_signing to true
(as long as ksba_cert_get_key_usage() fails, "use" is set to ~0 and at that
point nothing else matters: the cert is rejected).

I have attached CACert's OCSP responder certificate for your reference.

Event Timeline

marcus lowered the priority of this task from Normal to Low.Jun 28 2017, 4:05 PM

Any chance looking into this @werner?

We have a patch for this in Fedora for 9 years already and it works fine:

https://src.fedoraproject.org/rpms/gnupg2/blob/rawhide/f/gnupg-2.2.16-ocsp-keyusage.patch

The related Fedora bug with the initial patch:

https://bugzilla.redhat.com/show_bug.cgi?id=720174

RFC-5280 states in 4.2.1.3 for Key Usage:

Conforming CAs MUST include this extension in certificates that
contain public keys that are used to validate digital signatures on
other public key certificates or CRLs.  When present, conforming CAs
SHOULD mark this extension as critical.

Although this does not speak explicitly about OCSP it would be strange to assume a weaker condition for OCSP. Further on in 4.2.1.12 Extended Key Usage

If a certificate contains both a key usage extension and an extended
key usage extension, then both extensions MUST be processed
independently and the certificate MUST only be used for a purpose
consistent with both extensions.  If there is no purpose consistent
with both extensions, then the certificate MUST NOT be used for any
purpose.

So this could be read to the contrary but this section is more general and does not even mention CRLs. It merely gives the OID for OCSCP signing. Constructung an argiment that the key Usage is not required is IMHO wrong and does not take into account the reason and history for Key Usage and Extended Key Usage.

In any case I am not willing to lightheaded remove the restriction as done in the patch. CA-Cert should update its cert (and also make sure that their announced CRL actually work reasonably)

Thank you for taking time to look into that. There are couple of issues in the CAcert bug tracker talking about the same issue but if, (I see right), the certs still miss the usage flags:

http://bugs.cacert.org/view.php?id=540
http://bugs.cacert.org/view.php?id=1087

In that case, I will probably remove this patch from Fedora. If this will become issue, I guess we can redirect it to the CA issuer.

werner claimed this task.