GPGSM: Might not handle extended key usage properly
Open, NormalPublic


I'm not sure I agree with the original reporter here that this is a bug. I give it Normal priority for someone else to look at. Feel free to change the prio accordingly. The test certificate here contains an extended key usage of "serverAuth" but afaik extended key usage is just a suggestion and does not _need_ to be anything at all. But I could be wrong or based on an older S/MIME standard....

Moved out of T3948 :


Checks the behaviour of an email client when the target certificate specifies an EKU other than emailProtection or anyExtendedKeyUsage. This path is invalid. When this extension is present, then it must contain one of those two values.

Root CA:


export GNUPGHOME=$(mktemp -d)
gpgsm --import CERT_PATH_EMAIL_04_ROOT_CA.TA.crt
echo "87:0F:8B:9E:5E:DF:A7:87:D2:B9:98:7C:2A:EA:9B:D6:DD:93:2F:D0 S" > $GNUPGHOME/trustlist.txt
echo "disable-crl-checks" > $GNUPGHOME/gpgsm.conf
gpgparsemail --crypto CERT_PATH_EMAIL_04.eml
gpgsm --with-validation -k  

           ID: 0xDD932FD0
          S/N: 01
       Issuer: /CN=Test Root/C=DE
      Subject: /CN=Test Root/C=DE
     validity: 2017-09-02 09:24:39 through 2022-09-05 09:24:39
     key type: 2048 bit RSA
    key usage: certSign crlSign
 chain length: 1
  fingerprint: 87:0F:8B:9E:5E:DF:A7:87:D2:B9:98:7C:2A:EA:9B:D6:DD:93:2F:D0
  [certificate is good]

           ID: 0x16DD0EC2
          S/N: 02
       Issuer: /CN=Test Root/C=DE
      Subject: /CN=Test Sub CA/C=DE
     validity: 2017-09-04 09:24:42 through 2020-09-05 09:24:42
     key type: 2048 bit RSA
    key usage: certSign crlSign
 chain length: 0
  fingerprint: 3E:5A:2C:35:41:0A:C2:FC:E0:A1:B4:04:84:A0:CF:B2:16:DD:0E:C2
  [certificate is good]

           ID: 0xCC0677A5
          S/N: 00EA64
       Issuer: /CN=Test Sub CA/C=DE
      Subject: /CN=Test EE/C=DE
     validity: 2017-09-05 01:26:19 through 2018-09-05 09:26:19
     key type: 2048 bit RSA
    key usage: digitalSignature keyEncipherment
ext key usage: serverAuth (suggested)
  fingerprint: ED:F5:10:08:6C:DC:73:F5:CF:F2:B5:91:15:F1:49:D1:CC:06:77:A5
  [certificate is good]


aheinecke renamed this task from GPGSM: Does not handle extended key usage to GPGSM: Might not handle extended key usage properly.