Wrong CDP in certificate
Description of problem:
When signing a CSR, the CDP is copied from the signing CA's CDP. The CDP should be specified, if needed, in the template. Copying of the signing CA's CDP is most of the time wrong, unless (which doesn't make sense) a CDP exists in the Root CA's certificate.
Version of gnutls used:
The latest checkout on branch master
How reproducible:
Steps to Reproduce:
root-ca.cfg
organization = "Initech"
cn = "Initech Root CA"
expiration_days = 700
ca
cert_signing_key
crl_signing_key
issuing-ca.cfg
organization = "Initech"
cn = "Initech CA"
expiration_days = 350
crl_dist_points = "http://crl.initech.lan/Initech_Root_CA.crl"
ca
signing_key
cert_signing_key
crl_signing_key
path_len = 0
servercert.cfg
organization = "Initech"
cn = "test.example.com"
expiration_days = 350
crl_dist_points = "http://crl.initech.lan/Initech_CA.crl"
tls_www_server
key_agreement
data_encipherment
certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem
certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem
certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem
certtool --generate-request --load-privkey Initech_CA-key.pem --template issuing-ca.cfg --outfile Initech_CA-csr.pem
certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template issuing-ca.cfg --outfile Initech_CA-cert.pem
certtool --generate-privkey --sec-param medium --outfile test.initech.lan-key.pem
certtool --generate-request --load-privkey test.initech.lan-key.pem --template servercert.cfg --outfile test.initech.lan-csr.pem
certtool --generate-certificate --load-ca-privkey Initech_CA-key.pem --load-ca-certificate Initech_CA-cert.pem --load-request test.initech.lan-csr.pem --template servercert.cfg --outfile test.initech.lan-cert.pem
Actual results:
CDP in server certificate points to Root CA's CRL
Expected results:
CDP in server certificate points to the Issuing CA's specified CDP.
Proposed fix
--- certtool.c.org 2020-11-26 23:16:24.415557527 +0100
+++ certtool.c 2020-11-26 23:19:09.234423551 +0100
@@ -781,10 +781,8 @@
/* always set CRL distribution points on CAs, but also on certificates
* generated with --generate-self-signed. The latter is to retain
* compatibility with previous versions of certtool. */
- if (ca_status || (!proxy && ca_crt == NULL)) {
+ if (ca_status || (!proxy)) {
get_crl_dist_point_set(crt);
- } else if (!proxy && ca_crt != NULL) {
- gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt);
}
*ret_key = key;