GnuTLS accepts a cert whose basicConstraints.cA==False but keyUsage.keyCertSign is set
Description of problem:
GnuTLS accepts a cert whose basicConstraints.cA==False but keyUsage.keyCertSign is set.
Version of gnutls used:
3.5.5, 3.6.13
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu x64
How reproducible:
Steps to Reproduce:
certtool --verify --load-ca-certificate ca.pem --infile seed-16s31-206s38.pem
Actual results:
certtool --verify --load-ca-certificate ./certs_related/ca.pem --infile ./certs/seed-16s31-206s38.pem
Note that no verification profile was selected. In the future the medium profile will be enabled by default.
Use --verify-profile low to apply the default verification of NORMAL priority string.
Loaded CAs (1 available)
Subject: CN=DT-peace,OU=UNSC-peace,O=UNGA,ST=NYS,C=UN
Issuer: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN
Checked against: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
Expected results:
The cert should be rejectd since it has no right (it cA==False) to verify certSign (keyUsage.keyCertSign is set).