720174 – [PATCH] gnupg2 fails to verify some OCSP responses

Bug 720174 - [PATCH] gnupg2 fails to verify some OCSP responses

Summary: [PATCH] gnupg2 fails to verify some OCSP responses

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnupg2
Sub Component:
Version:	15
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Rex Dieter
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-10 15:55 UTC by Tomáš Trnka
Modified:	2012-05-02 14:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:	gnupg2-2.0.19-1.fc18
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-02 14:25:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
proposed fix (679 bytes, patch) 2011-07-10 15:57 UTC, Tomáš Trnka	no flags	Details \| Diff
View All

Description Tomáš Trnka 2011-07-10 15:55:34 UTC

Description of problem:
GnuPG 2 fails to verify OCSP responses signed using a certificate without the keyUsage extension (but with extendedKeyUsage set properly to OCSP signing as required by RFC 2560). Such a certificate is used e.g. by CAcert.org. The keyUsage check as currently implemented doesn't make much sense, attached is a simple patch fixing that (applies cleanly to both gnupg2-2.0.17-1.fc15 and gnupg2-2.0.16-3.fc14).

This has been reported upstream as https://bugs.g10code.com/gnupg/issue1333 (no response yet).

Comment 1 Tomáš Trnka 2011-07-10 15:57:49 UTC

Created attachment 512093 [details]
proposed fix

Note You need to log in before you can comment on or make changes to this bug.