OwnCA/ownca

missing keyCertSign extension on intermediate ca

krmxd opened this issue · 1 comments

krmxd commented

https://www.rfc-editor.org/rfc/rfc5280#section-4.2

  The keyCertSign bit is asserted when the subject public key is
  used for verifying signatures on public key certificates.  If the
  keyCertSign bit is asserted, then the cA bit in the basic
  constraints extension (Section 4.2.1.9) MUST also be asserted.

  The cRLSign bit is asserted when the subject public key is used
  for verifying signatures on certificate revocation lists (e.g.,
  CRLs, delta CRLs, or ARLs).

When creating a full chain the intermediate ca seems to missing key extensions for verifying signatures.

The issue_csr method isn't adding the needed extensions (at least that's my (current) finding).

csr_builder = csr_builder.add_extension( x509.KeyUsage(key_cert_sign=True, crl_sign=True, digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, ), critical=False )

Thanks @krmxd, for reporting this issue.