GnuTLS accepted certificate with wrong value for Keyusage extension
Description of problem:
GnuTLS accepted certificate with wrong value for Keyusage extension.WolfSSL believes that the key usage value of the certificate is wrong.
The key usage value is: cRLSign, keyAgreement, decipherOnly, nonRepudiation, dataEncipherment, keyCertSign (critical=True).
According to RFC5280 (section 4.2.1.3), the keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (Section 4.2.1.9) MUST also be asserted.
Version of gnutls used:
gnutls-cli 3.8.9(--enable-strict-x509)
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
How reproducible:
Steps to Reproduce:
- one certtool --verify --load-ca-certificate RootCA.pem --infile Cert17408145466.pem Cert17408145466.pem
Actual results:
Loaded CAs (1 available)
Setting log level to 10
Subject: CN=www.mycompany1.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Issuer: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Checked against: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.Expected results:
Not verified. The certificate is NOT trusted. WolfSSL:wolfSSL_CertManagerVerify failed with return code -226 and error message Key Usage value error