Skip to content

missing keyCertSign extension on intermediate ca #56

Open
Open
missing keyCertSign extension on intermediate ca#56
Labels
bugSomething isn't workinggood first issueGood for newcomershelp wantedExtra attention is needed
@krmxd

Description

@krmxd
krmxd
opened on Dec 26, 2021

https://www.rfc-editor.org/rfc/rfc5280#section-4.2

  The keyCertSign bit is asserted when the subject public key is
  used for verifying signatures on public key certificates.  If the
  keyCertSign bit is asserted, then the cA bit in the basic
  constraints extension (Section 4.2.1.9) MUST also be asserted.

  The cRLSign bit is asserted when the subject public key is used
  for verifying signatures on certificate revocation lists (e.g.,
  CRLs, delta CRLs, or ARLs).

When creating a full chain the intermediate ca seems to missing key extensions for verifying signatures.

The issue_csr method isn't adding the needed extensions (at least that's my (current) finding).

csr_builder = csr_builder.add_extension( x509.KeyUsage(key_cert_sign=True, crl_sign=True, digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, ), critical=False )

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinggood first issueGood for newcomershelp wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions