Bug 806959

Summary: certificate key usage is displayed wrong
Product: [Fedora] Fedora Reporter: Mr-4 <mr.dash.four>
Component: openvpnAssignee: Steven Pritchard <steve>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: davids, gwync, huzaifas, psabata, steve
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-13 22:27:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mr-4 2012-03-26 15:32:53 UTC 
Description of problem:
When openvpn displays certificate key usage, it displays it wrong. For example, if I have "digitalSignature and keyAgreement" bits on, then openvpn interprets this as 0x88, which is wrong (see below).

Version-Release number of selected component (if applicable):
2.2.1, but also 2.2.2 (the latest stable)

How reproducible:
Always

Steps to Reproduce:
1. run openvpn with --remote-cert-tls option enabled
2.
3.
  
Actual results:
Something like this in the logs (server side):

Mon Mar 26 14:36:55 2012 xx Validating certificate key usage
Mon Mar 26 14:36:55 2012 xx ++ Certificate has key usage  0088, expects 0080
Mon Mar 26 14:36:55 2012 xx ++ Certificate has key usage  0088, expects 0008
Mon Mar 26 14:36:55 2012 xx ++ Certificate has key usage  0088, expects 0088

In other words, it interprets bit 0 (digitalSignature) and bit 4 (keyAgreement) wrong as 0x88 hex, when it should be interpreted (and displayed) as 0x11 hex.

Expected results:
Mon Mar 26 14:36:55 2012 xx Validating certificate key usage
Mon Mar 26 14:36:55 2012 xx ++ Certificate has key usage  0011, expects 0010
Mon Mar 26 14:36:55 2012 xx ++ Certificate has key usage  0011, expects 0001
Mon Mar 26 14:36:55 2012 xx ++ Certificate has key usage  0011, expects 0011

Additional info:
According to Section 4.2.1.3 of RFC3280, the certificate key usage is defined as follows:

KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }

In other words, the values of digitalSignature (bit 0 - 0x01 hex, 00000001 binary) and/or keyAgreement (bit 4 - 0x10 hex, 0001 0000 binary), when OR-ed should give me the following numbers for the certificate key usage: 0x01 (0000 0001), 0x10 (0001 0000) or 0x11 (0001 0001), not 0x80 (1000 0000) 0x08 (0000 1000) or 0x88 (1000 1000).

Similar for the server: bit 0 and (bit 2 or bit 4) makes this as 0x5 (0000 0101) or 0x11 (0001 0001), not 0xa0 (1010 0000) or 0x88 (1000 1000).

Not only is the interpretation of the above wrong, but the openvpn man pages as well as the on-line manual is also incorrect, as it states that the predefined certificate key usage for clients is "80 08 88" - "digitalSignature and/or keyAgreement". 

The same for the server - "a0 88" when "digitalSignature and ( keyEncipherment or keyAgreement )" is used.
Comment 1 Mr-4 2012-04-24 00:40:53 UTC 
Any movement on this?
Comment 2 Fedora End Of Life 2013-01-16 17:37:39 UTC 
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Fedora End Of Life 2013-02-13 22:27:39 UTC 
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.