I'm not sure I agree with the original reporter here that this is a bug. I give it Normal priority for someone else to look at. Feel free to change the prio accordingly. The test certificate here contains an extended key usage of "serverAuth" but afaik extended key usage is just a suggestion and does not _need_ to be anything at all. But I could be wrong or based on an older S/MIME standard....
Moved out of T3948 :
Checks the behaviour of an email client when the target certificate specifies an EKU other than emailProtection or anyExtendedKeyUsage. This path is invalid. When this extension is present, then it must contain one of those two values.
export GNUPGHOME=$(mktemp -d) gpgsm --import CERT_PATH_EMAIL_04_ROOT_CA.TA.crt echo "87:0F:8B:9E:5E:DF:A7:87:D2:B9:98:7C:2A:EA:9B:D6:DD:93:2F:D0 S" > $GNUPGHOME/trustlist.txt echo "disable-crl-checks" > $GNUPGHOME/gpgsm.conf gpgparsemail --crypto CERT_PATH_EMAIL_04.eml gpgsm --with-validation -k /tmp/tmp.5fjoh1lH2g/pubring.kbx ------------------------------- ID: 0xDD932FD0 S/N: 01 Issuer: /CN=Test Root/C=DE Subject: /CN=Test Root/C=DE validity: 2017-09-02 09:24:39 through 2022-09-05 09:24:39 key type: 2048 bit RSA key usage: certSign crlSign chain length: 1 fingerprint: 87:0F:8B:9E:5E:DF:A7:87:D2:B9:98:7C:2A:EA:9B:D6:DD:93:2F:D0 [certificate is good] ID: 0x16DD0EC2 S/N: 02 Issuer: /CN=Test Root/C=DE Subject: /CN=Test Sub CA/C=DE validity: 2017-09-04 09:24:42 through 2020-09-05 09:24:42 key type: 2048 bit RSA key usage: certSign crlSign chain length: 0 fingerprint: 3E:5A:2C:35:41:0A:C2:FC:E0:A1:B4:04:84:A0:CF:B2:16:DD:0E:C2 [certificate is good] ID: 0xCC0677A5 S/N: 00EA64 Issuer: /CN=Test Sub CA/C=DE Subject: /CN=Test EE/C=DE aka: email@example.com validity: 2017-09-05 01:26:19 through 2018-09-05 09:26:19 key type: 2048 bit RSA key usage: digitalSignature keyEncipherment ext key usage: serverAuth (suggested) fingerprint: ED:F5:10:08:6C:DC:73:F5:CF:F2:B5:91:15:F1:49:D1:CC:06:77:A5 [certificate is good]