Bug 1859810 - Certificates should have "Server Authentication" purpose in ExtendedKeyUsage
Summary: Certificates should have "Server Authentication" purpose in ExtendedKeyUsage
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: sscg
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-23 05:12 UTC by Martin Pitt
Modified: 2020-07-24 13:32 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-24 13:32:44 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Martin Pitt 2020-07-23 05:12:47 UTC 
Description of problem: According to Common Criteria,

    Server certificates presented for TLS shall have the Server Authentication·
    purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field.

but sscg's certificate does not have an EKU field.

CC'ing Steve Grubb who found this issue during a Cockpit review.

Version-Release number of selected component (if applicable):

sscg-2.6.2-1.fc32.x86_64

How reproducible: Always

Steps to Reproduce:
1. sscg --cert-key-file /tmp/x.key --cert-file /tmp/x.crt --ca-file /tmp/ca.crt --hostname `hostname -f` --subject-alt-name localhost
2. openssl x509 -in /tmp/x.crt -text

Actual results: No extendedKeyUsage field in x.crt

Expected results: Should have extendedKeyUsage for "serverAuth".


Additional info: See https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage how to do that with OpenSSL.
Comment 1 Stephen Gallagher 2020-07-24 13:16:06 UTC 
Are you sure you verified this with Cockpit using SSCG? I just ran the exact command you specified above and then viewed the x.crt:

openssl x509 -text -noout -in /tmp/x.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6141212879388356455 (0x5539f89385ff2f67)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Unspecified, OU = ca-4465204251473438007, CN = t490s.sgallagh.rht
        Validity
            Not Before: Jul 24 13:06:55 2020 GMT
            Not After : Sep 11 05:46:55 2030 GMT
        Subject: C = US, O = Unspecified, CN = t490s.sgallagh.rht
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:aa:6f:cb:cd:12:21:9c:43:84:b3:ba:02:a8:12:
                    dc:47:b2:c7:80:d5:8f:b1:9d:d8:63:b7:af:17:1d:
                    d6:fd:0c:eb:49:d9:ad:05:09:a7:b4:04:63:81:0f:
                    e6:1b:40:a2:a6:f8:9c:b9:10:80:82:80:a1:1a:f4:
                    d2:cb:6c:9c:84:ed:e2:ea:e5:cb:23:23:16:13:e0:
                    10:a5:67:62:a8:19:e9:04:0e:e6:b8:36:bf:b6:f0:
                    94:58:42:17:d6:a0:32:b7:73:a2:ce:42:fe:44:e7:
                    e6:b8:a8:76:f3:1f:a2:71:d8:4c:46:7b:aa:06:11:
                    97:f1:28:e3:08:b4:30:79:c2:81:b5:ae:60:91:80:
                    66:b5:35:b1:90:03:d0:bf:5d:ef:2d:e0:d1:c3:02:
                    84:30:64:65:66:95:3f:59:9d:48:5f:75:ea:f1:d5:
                    c0:3f:39:da:74:1f:a7:d1:b5:6c:42:6b:40:3c:c0:
                    4d:21:b2:42:24:c9:96:81:3b:f7:9e:f0:f5:84:f7:
                    f2:28:d0:33:b7:41:b7:6b:0a:cd:14:94:06:5b:c0:
                    98:ea:05:3c:4f:d3:47:19:7d:d1:f5:d9:45:1f:60:
                    03:26:f1:28:4d:50:1d:62:e2:0a:1c:d7:52:01:70:
                    fb:25:93:ae:47:f7:7d:2a:4e:53:39:31:07:19:39:
                    d4:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:t490s.sgallagh.rht, DNS:localhost
            X509v3 Authority Key Identifier: 
                keyid:F4:78:EC:2D:55:04:47:1F:B7:2C:31:E9:22:EF:81:17:BC:ED:15:A7

    Signature Algorithm: sha256WithRSAEncryption
         af:b4:72:ae:14:9d:9d:56:92:43:25:7d:53:45:f8:24:50:90:
         ed:5f:73:dd:ed:70:e7:ac:3d:85:20:f1:52:23:4c:2b:30:cc:
         67:10:64:77:09:0f:d6:7c:6d:65:f0:eb:97:a2:8f:fb:48:11:
         a9:e3:b7:53:29:d0:13:38:e7:e7:3b:fd:76:ec:3a:14:2b:fe:
         1c:34:10:3a:5a:20:52:2c:89:d2:32:22:df:6a:9b:c5:6c:4e:
         b6:a1:b3:66:ec:dd:b2:16:bd:e6:8b:23:63:ed:be:22:1c:7b:
         89:64:18:68:53:22:6f:dc:9e:db:16:3f:2e:96:2a:59:ac:ec:
         04:9c:de:7e:a1:54:16:d0:be:3b:78:60:a4:51:6e:b8:31:46:
         2e:5e:60:66:a1:b9:a5:77:c2:57:9d:36:d0:b0:69:90:63:16:
         f9:de:bf:15:a0:fd:63:2b:27:a1:12:1b:d3:25:7a:66:7c:6e:
         c2:80:76:d3:2f:d4:dd:5d:0a:8e:bf:9c:74:2e:72:e0:2f:f2:
         94:20:b8:49:be:00:db:b5:dd:8d:b7:47:f6:9e:fa:b4:2f:a5:
         e1:3c:99:39:13:33:27:50:0b:7c:7f:66:14:f1:7f:2a:7c:e3:
         04:bb:58:11:42:96:3b:58:9b:79:1b:30:da:1f:75:d0:92:97:
         94:3b:10:df:6b:ce:3d:53:e1:14:0b:d2:ef:dc:17:f4:99:7a:
         c0:0c:a2:85:ba:a6:b0:79:16:e2:af:b2:45:4f:11:4f:ec:47:
         e8:e2:97:fd:8b:f7:c7:15:25:cc:69:9f:34:77:6b:29:42:f0:
         aa:72:45:81:13:67:64:45:d2:b9:51:84:1a:71:8b:a7:7d:90:
         91:a9:18:ac:7d:cc:ac:10:63:06:7a:fc:5f:bc:a5:a1:58:a7:
         8f:8e:07:89:91:70:a9:f9:e2:f3:09:23:5d:9c:e5:c2:45:da:
         c7:dd:fa:d5:9f:e1:a5:6d:82:09:af:12:2b:c7:1f:23:e5:e3:
         ff:b6:16:08:bd:6a:62:5f:79:cd:a0:e5:4b:ca:97:a5:44:0f:
         89:b6:46:d4:21:54:93:e9:5b:10:63:c7:f1:19:9d:76:a1:38:
         f5:53:aa:85:b6:8a:70:43:58:e4:9f:e1:27:d1:33:db:1a:d0:
         28:7f:c7:74:b0:68:c0:ad:e1:34:43:a6:12:93:cb:74:b9:f2:
         9f:45:df:73:68:8e:b7:74:ca:d7:2b:04:43:f8:d7:3f:94:fa:
         c8:45:bd:f2:04:8b:a0:eb:d9:f7:10:2d:c7:61:71:4b:93:f1:
         1f:d2:77:6c:2b:62:05:2c:27:6c:54:a6:60:c8:56:ac:14:b2:
         29:58:dd:b0:52:6f:f2:28
```


It definitely has
```
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
```
Comment 2 Martin Pitt 2020-07-24 13:32:44 UTC 
D'oh, I re-checked that on Fedora 32 and RHEL 8.3, and it indeed is there. Sorry for the noise, I must have been blind yesterday!
Note You need to log in before you can comment on or make changes to this bug.