Bug 1859810
| Summary: | Certificates should have "Server Authentication" purpose in ExtendedKeyUsage | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Pitt <mpitt> |
| Component: | sscg | Assignee: | Stephen Gallagher <sgallagh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 32 | CC: | sgallagh, sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-24 13:32:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Are you sure you verified this with Cockpit using SSCG? I just ran the exact command you specified above and then viewed the x.crt:
openssl x509 -text -noout -in /tmp/x.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6141212879388356455 (0x5539f89385ff2f67)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Unspecified, OU = ca-4465204251473438007, CN = t490s.sgallagh.rht
Validity
Not Before: Jul 24 13:06:55 2020 GMT
Not After : Sep 11 05:46:55 2030 GMT
Subject: C = US, O = Unspecified, CN = t490s.sgallagh.rht
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:aa:6f:cb:cd:12:21:9c:43:84:b3:ba:02:a8:12:
dc:47:b2:c7:80:d5:8f:b1:9d:d8:63:b7:af:17:1d:
d6:fd:0c:eb:49:d9:ad:05:09:a7:b4:04:63:81:0f:
e6:1b:40:a2:a6:f8:9c:b9:10:80:82:80:a1:1a:f4:
d2:cb:6c:9c:84:ed:e2:ea:e5:cb:23:23:16:13:e0:
10:a5:67:62:a8:19:e9:04:0e:e6:b8:36:bf:b6:f0:
94:58:42:17:d6:a0:32:b7:73:a2:ce:42:fe:44:e7:
e6:b8:a8:76:f3:1f:a2:71:d8:4c:46:7b:aa:06:11:
97:f1:28:e3:08:b4:30:79:c2:81:b5:ae:60:91:80:
66:b5:35:b1:90:03:d0:bf:5d:ef:2d:e0:d1:c3:02:
84:30:64:65:66:95:3f:59:9d:48:5f:75:ea:f1:d5:
c0:3f:39:da:74:1f:a7:d1:b5:6c:42:6b:40:3c:c0:
4d:21:b2:42:24:c9:96:81:3b:f7:9e:f0:f5:84:f7:
f2:28:d0:33:b7:41:b7:6b:0a:cd:14:94:06:5b:c0:
98:ea:05:3c:4f:d3:47:19:7d:d1:f5:d9:45:1f:60:
03:26:f1:28:4d:50:1d:62:e2:0a:1c:d7:52:01:70:
fb:25:93:ae:47:f7:7d:2a:4e:53:39:31:07:19:39:
d4:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:t490s.sgallagh.rht, DNS:localhost
X509v3 Authority Key Identifier:
keyid:F4:78:EC:2D:55:04:47:1F:B7:2C:31:E9:22:EF:81:17:BC:ED:15:A7
Signature Algorithm: sha256WithRSAEncryption
af:b4:72:ae:14:9d:9d:56:92:43:25:7d:53:45:f8:24:50:90:
ed:5f:73:dd:ed:70:e7:ac:3d:85:20:f1:52:23:4c:2b:30:cc:
67:10:64:77:09:0f:d6:7c:6d:65:f0:eb:97:a2:8f:fb:48:11:
a9:e3:b7:53:29:d0:13:38:e7:e7:3b:fd:76:ec:3a:14:2b:fe:
1c:34:10:3a:5a:20:52:2c:89:d2:32:22:df:6a:9b:c5:6c:4e:
b6:a1:b3:66:ec:dd:b2:16:bd:e6:8b:23:63:ed:be:22:1c:7b:
89:64:18:68:53:22:6f:dc:9e:db:16:3f:2e:96:2a:59:ac:ec:
04:9c:de:7e:a1:54:16:d0:be:3b:78:60:a4:51:6e:b8:31:46:
2e:5e:60:66:a1:b9:a5:77:c2:57:9d:36:d0:b0:69:90:63:16:
f9:de:bf:15:a0:fd:63:2b:27:a1:12:1b:d3:25:7a:66:7c:6e:
c2:80:76:d3:2f:d4:dd:5d:0a:8e:bf:9c:74:2e:72:e0:2f:f2:
94:20:b8:49:be:00:db:b5:dd:8d:b7:47:f6:9e:fa:b4:2f:a5:
e1:3c:99:39:13:33:27:50:0b:7c:7f:66:14:f1:7f:2a:7c:e3:
04:bb:58:11:42:96:3b:58:9b:79:1b:30:da:1f:75:d0:92:97:
94:3b:10:df:6b:ce:3d:53:e1:14:0b:d2:ef:dc:17:f4:99:7a:
c0:0c:a2:85:ba:a6:b0:79:16:e2:af:b2:45:4f:11:4f:ec:47:
e8:e2:97:fd:8b:f7:c7:15:25:cc:69:9f:34:77:6b:29:42:f0:
aa:72:45:81:13:67:64:45:d2:b9:51:84:1a:71:8b:a7:7d:90:
91:a9:18:ac:7d:cc:ac:10:63:06:7a:fc:5f:bc:a5:a1:58:a7:
8f:8e:07:89:91:70:a9:f9:e2:f3:09:23:5d:9c:e5:c2:45:da:
c7:dd:fa:d5:9f:e1:a5:6d:82:09:af:12:2b:c7:1f:23:e5:e3:
ff:b6:16:08:bd:6a:62:5f:79:cd:a0:e5:4b:ca:97:a5:44:0f:
89:b6:46:d4:21:54:93:e9:5b:10:63:c7:f1:19:9d:76:a1:38:
f5:53:aa:85:b6:8a:70:43:58:e4:9f:e1:27:d1:33:db:1a:d0:
28:7f:c7:74:b0:68:c0:ad:e1:34:43:a6:12:93:cb:74:b9:f2:
9f:45:df:73:68:8e:b7:74:ca:d7:2b:04:43:f8:d7:3f:94:fa:
c8:45:bd:f2:04:8b:a0:eb:d9:f7:10:2d:c7:61:71:4b:93:f1:
1f:d2:77:6c:2b:62:05:2c:27:6c:54:a6:60:c8:56:ac:14:b2:
29:58:dd:b0:52:6f:f2:28
```
It definitely has
```
X509v3 Extended Key Usage:
TLS Web Server Authentication
```
D'oh, I re-checked that on Fedora 32 and RHEL 8.3, and it indeed is there. Sorry for the noise, I must have been blind yesterday! |
Description of problem: According to Common Criteria, Server certificates presented for TLS shall have the Server Authentication· purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. but sscg's certificate does not have an EKU field. CC'ing Steve Grubb who found this issue during a Cockpit review. Version-Release number of selected component (if applicable): sscg-2.6.2-1.fc32.x86_64 How reproducible: Always Steps to Reproduce: 1. sscg --cert-key-file /tmp/x.key --cert-file /tmp/x.crt --ca-file /tmp/ca.crt --hostname `hostname -f` --subject-alt-name localhost 2. openssl x509 -in /tmp/x.crt -text Actual results: No extendedKeyUsage field in x.crt Expected results: Should have extendedKeyUsage for "serverAuth". Additional info: See https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage how to do that with OpenSSL.