GnuTLS does not require the Key Usage extension in CA certificates during client certificate authentication.
Description of problem:
During client certificate authentication (Tested in TLS 1.0 to 1.2) GnuTLS accepts certificate chains in which the intermediate CA certificate has no key usage extension. However, the specification for X.509 certificates, RFC 5280, states regarding the Key Usage extension that "Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When present, conforming CAs SHOULD mark this extension as critical."
I think that this constraint should be enforced by libraries through checking that the extension is present and contains the correct values.
Version of gnutls used:
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Compiled from source after cloning the respective branch from GitHub
Steps to Reproduce:
- Use OpenSSL
s_clientor similar tool to connect to the server using the following two certificates. This example uses OpenSSL.
openssl s_client -connect localhost:4433 -cert ROOTv3_CAv3_NoKeyUsage_LEAF_RSAv3__leaf_certificate1.pem -key rsakey_2.pem -CAfile ROOTv3_CAv3_NoKeyUsage_LEAF_RSAv3__ca_certificate1.pem
GnuTLS accepts the certificate chain and proceeds with the handshake.
GnuTLS should reject the certificate chain since the CA certificate is invalid. Consequently, the handshake should be aborted.