Bug 720174

Summary: [PATCH] gnupg2 fails to verify some OCSP responses
Product: [Fedora] Fedora Reporter: Tomáš Trnka <tomastrnka>
Component: gnupg2Assignee: Rex Dieter <rdieter>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: bcl, nalin, rdieter, slukasik, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: gnupg2-2.0.19-1.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-02 14:25:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed fix none

Description Tomáš Trnka 2011-07-10 15:55:34 UTC 
Description of problem:
GnuPG 2 fails to verify OCSP responses signed using a certificate without the keyUsage extension (but with extendedKeyUsage set properly to OCSP signing as required by RFC 2560). Such a certificate is used e.g. by CAcert.org. The keyUsage check as currently implemented doesn't make much sense, attached is a simple patch fixing that (applies cleanly to both gnupg2-2.0.17-1.fc15 and gnupg2-2.0.16-3.fc14).

This has been reported upstream as https://bugs.g10code.com/gnupg/issue1333 (no response yet).
Comment 1 Tomáš Trnka 2011-07-10 15:57:49 UTC 
Created attachment 512093 [details]
proposed fix