Bug 720174 - [PATCH] gnupg2 fails to verify some OCSP responses
Summary: [PATCH] gnupg2 fails to verify some OCSP responses
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: gnupg2
Version: 15
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-10 15:55 UTC by Tomáš Trnka
Modified: 2012-05-02 14:25 UTC (History)
5 users (show)

Fixed In Version: gnupg2-2.0.19-1.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-02 14:25:41 UTC
Type: ---


Attachments (Terms of Use)
proposed fix (679 bytes, patch)
2011-07-10 15:57 UTC, Tomáš Trnka
no flags Details | Diff

Description Tomáš Trnka 2011-07-10 15:55:34 UTC
Description of problem:
GnuPG 2 fails to verify OCSP responses signed using a certificate without the keyUsage extension (but with extendedKeyUsage set properly to OCSP signing as required by RFC 2560). Such a certificate is used e.g. by CAcert.org. The keyUsage check as currently implemented doesn't make much sense, attached is a simple patch fixing that (applies cleanly to both gnupg2-2.0.17-1.fc15 and gnupg2-2.0.16-3.fc14).

This has been reported upstream as https://bugs.g10code.com/gnupg/issue1333 (no response yet).

Comment 1 Tomáš Trnka 2011-07-10 15:57:49 UTC
Created attachment 512093 [details]
proposed fix


Note You need to log in before you can comment on or make changes to this bug.