View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001540 | Main CAcert Website | certificate issuing | public | 2022-05-31 19:30 | 2022-07-10 12:02 |
| Reporter | alkas | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | needs review & testing | Resolution | open | ||
| Platform | Default | OS | any | OS Version | any |
| Summary | 0001540: Class 3 Root doesn't contain attributes X509v3 Subject Key Identifier & X509v3 Authority Key Identifier & X509v3 Key Usage | ||||
| Description | Intermediate certificate: Key usage required, but our class 3 cert seems to not have the key usage extension ("X509v3 Key Usage"). End-user certs do have it. The wrong Issuer URL leads to failing checks of the trust chain. See the attached picture comparing the new (SN=14E288, left side) and the old (SN=0A418A, right side) Class 3 Roots. You can see that both the attributes mentioned are missing. | ||||
| Tags | certificates, Class 3, Class 3 Root, class3 | ||||
| Reviewed by | |||||
| Test Instructions | Perform a dump of the Class 3 Root certificate | ||||
|
|
|
|
|
The difference between Class 3 Root SN=00000E and Class 3 Root SN=14E228. See the picture. Another diffs = dates only. |
|
|
Google Workspace, Hosted S/MIME service. There are two instructions how to make a certificate chain. https://support.google.com/a/answer/7300887?hl=en https://support.google.com/a/answer/6374496#zippy=%2Cconstruct-the-certificate-file-for-upload |
|
|
A problem with the X509v3 Authority Key Identifier creating a new CA certificate, please see: https://v13.gr/2013/04/11/x509v3-authority-key-identifier-authoritykeyidentifier/ |
|
|
I wrote documentation and an openssl configuration file for re-signing the class3 CA certificate. We will not be able to fullfil all of Google's requirements with our current CA hierarchy. The re-signing documentation and configuration file is available at https://code.cacert.org/cacert/signing-documentation. A demo class3 CA certificate signed by a local Test VM produces the text representation attached here. class3_demo.crt.txt (7,810 bytes)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 22 (0x16)
Signature Algorithm: sha512WithRSAEncryption
Issuer: emailAddress = support@cacert.org, CN = CA Cert Signing Authority (demo), OU = http://www.cacert.org, O = Root CA
Validity
Not Before: Jul 10 00:00:00 2022 GMT
Not After : Jul 10 00:00:00 2027 GMT
Subject: CN = CAcert Class 3 Root (demo), OU = http://www.CAcert.org, O = CAcert Inc.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a7:4a:86:83:06:73:ac:8d:31:92:51:4e:6b:0e:
fd:8e:81:79:cb:5e:d3:fa:82:2a:98:8c:ed:d8:d6:
40:37:38:3c:88:b3:60:4a:42:70:1e:91:36:a9:80:
0c:7b:2d:f6:79:62:23:36:d3:3c:91:ab:f1:44:56:
ae:f4:81:47:c9:0a:c5:80:44:53:43:29:fd:26:5e:
26:81:69:e4:09:b0:25:f9:43:0d:1b:29:37:2c:ae:
34:90:14:07:cc:b4:04:38:0a:40:82:c6:a7:18:be:
77:ed:ac:2f:e4:07:44:6d:3e:79:76:94:52:f5:d9:
20:b7:88:16:fe:95:7d:e0:4b:30:c8:41:e3:95:ca:
fc:9c:73:da:c5:9f:64:ff:60:97:c1:e2:94:37:08:
8f:3f:d7:13:e2:f9:9d:f6:be:ea:21:81:b5:05:02:
44:01:7a:cf:df:29:0a:e7:d0:b9:97:eb:c6:33:4f:
b8:79:59:ab:1f:9e:fe:df:77:aa:ba:0c:30:85:d2:
30:40:9f:ba:86:52:7c:64:70:65:c4:9f:e0:cd:55:
38:e0:70:68:e7:90:bf:2a:85:58:0f:07:d1:d4:0c:
11:0f:39:84:02:de:d1:85:82:6b:e2:96:c2:34:b9:
c5:07:2a:46:92:5f:fc:17:e3:a7:45:e1:8e:75:59:
7f:8a:b8:4a:39:33:bc:c2:f9:38:98:c3:84:d1:48:
8d:a5:fa:62:04:79:1f:55:a5:72:a9:22:7f:0f:bf:
93:f1:20:31:20:f0:69:d5:83:a5:db:24:ce:9a:a3:
5c:1c:a8:3f:d9:46:eb:92:c1:f4:3c:3d:61:46:1f:
0c:69:67:87:a6:f5:6c:89:c3:a1:ce:16:b2:41:63:
05:07:fc:16:02:ee:95:3e:e9:1a:d1:a4:7d:26:47:
b5:1d:8a:23:f2:73:32:a7:52:88:dc:53:8f:9f:5e:
4a:70:52:76:10:c7:99:eb:a9:a5:66:cc:3f:73:61:
a8:59:58:6e:ea:6c:4d:46:ef:aa:ec:28:c5:7f:42:
23:2d:9d:98:30:92:26:42:04:24:40:6f:b8:1c:89:
7a:ca:ea:15:2b:f0:2e:29:38:eb:60:f3:00:c5:df:
f4:af:00:dd:db:73:47:4e:9b:8c:b2:1e:db:22:88:
7a:24:bb:c3:82:bc:55:70:b8:2d:0c:0d:e2:39:2b:
80:f0:f3:96:7a:f2:39:79:e5:b8:0b:ca:e2:7f:fb:
65:7b:20:7c:b5:c2:1a:b7:aa:cf:45:8c:fe:4a:88:
1a:6c:85:01:52:d2:98:00:03:12:f4:0f:f3:16:02:
19:9c:b5:e6:62:50:41:94:61:27:6d:77:e5:85:45:
48:d2:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A2:E0:65:DC:1C:77:F0:86:B6:39:DF:64:69:FA:D3:FA:11:C3:1B:9D
X509v3 Authority Key Identifier:
71:D6:9F:F5:70:B8:F4:D8:07:68:66:23:D4:9E:C2:34:D7:B4:6B:DF
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.cacert.org/class3-revoke.crl
Authority Information Access:
CA Issuers - URI:http://www.cacert.org/certs/root_X0F.der
OCSP - URI:http://ocsp.cacert.org
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
93:42:92:62:0c:e3:90:09:46:7a:cc:9d:a7:30:57:27:b4:79:
c8:eb:2b:3d:f5:04:3e:20:4d:6a:96:ef:53:1f:4c:1f:f2:73:
0b:14:98:59:ed:0d:67:ad:31:47:6f:72:73:bd:1f:9f:1c:23:
a1:7c:e9:65:61:cc:82:1b:bd:14:e8:fc:c4:55:03:b6:60:85:
d5:c8:a1:ba:da:0b:57:0c:e9:7d:67:87:e9:2c:6e:05:7d:60:
fa:b2:1e:f1:79:ce:70:fa:87:e0:39:85:25:30:57:24:d4:ad:
71:35:ae:db:f5:76:58:89:10:f4:09:82:ed:33:52:92:9b:3d:
4c:67:60:39:10:8b:7e:58:b9:2e:fb:b2:18:62:d2:74:71:ba:
5d:8d:e7:c4:1c:30:f8:9b:0c:df:dd:78:07:cc:9c:0c:86:a4:
73:4c:34:b3:fd:a7:e0:e5:7e:71:f1:23:6d:35:89:50:83:18:
1d:d2:35:ec:ca:65:b1:9d:77:92:27:77:b2:26:11:0c:e4:29:
8e:37:8c:c9:48:de:3a:da:2d:48:f7:20:f9:11:91:bc:2d:22:
e1:9a:97:c4:f5:98:50:b9:af:a7:36:e1:ea:80:df:b9:04:2d:
fb:cc:9e:37:b8:10:0f:2d:42:ec:81:d2:f4:b0:29:1d:6c:66:
be:f9:1e:f6:72:15:ab:6c:8a:c4:b4:d3:25:49:f7:b4:a6:7f:
bb:f0:fb:a5:e3:6f:d4:23:29:6d:c4:98:b9:25:1a:d0:2c:f1:
09:d5:1a:03:70:55:eb:4c:46:de:22:5b:88:80:2a:f4:b3:35:
c8:f0:31:7d:ec:eb:ef:3f:63:0d:e4:e2:97:b2:df:06:44:20:
e5:1d:24:d1:0c:07:cf:cd:b9:ff:63:a5:a7:43:57:af:f8:c7:
a3:07:4b:32:00:2f:ab:15:c8:79:85:f4:63:0d:73:ac:93:8a:
0d:30:d4:80:00:c6:ed:7a:cc:ea:a7:b8:82:3e:af:98:63:f2:
28:2d:74:b8:5a:d0:e7:10:f0:c6:c4:66:99:83:62:ee:44:21:
c3:1b:29:e8:09:42:37:2e:fd:e3:e3:19:1a:2d:d1:c8:2f:ac:
00:6b:6d:c5:e4:fe:d1:28:78:9d:76:96:43:79:46:63:59:b6:
b8:cd:8a:5d:80:2c:1c:29:61:f7:6c:a9:d8:c3:7e:d5:57:17:
8c:8a:53:31:72:6b:e8:36:e9:16:b6:67:07:93:3c:99:07:5e:
8b:51:12:7d:0c:95:d0:b4:ef:8d:0a:e8:9a:e5:0e:ba:9d:ee:
31:2c:fc:73:74:00:3f:68:fc:78:d0:53:29:00:90:e5:32:30:
77:89:aa:fa:23:f5:03:30
-----BEGIN CERTIFICATE-----
MIIGZTCCBE2gAwIBAgIBFjANBgkqhkiG9w0BAQ0FADCBgDEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMSkwJwYDVQQDEyBDQSBDZXJ0IFNpZ25pbmcg
QXV0aG9yaXR5IChkZW1vKTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3Jn
MRAwDgYDVQQKEwdSb290IENBMB4XDTIyMDcxMDAwMDAwMFoXDTI3MDcxMDAwMDAw
MFowWzEjMCEGA1UEAxMaQ0FjZXJ0IENsYXNzIDMgUm9vdCAoZGVtbykxHjAcBgNV
BAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEUMBIGA1UEChMLQ0FjZXJ0IEluYy4w
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnSoaDBnOsjTGSUU5rDv2O
gXnLXtP6giqYjO3Y1kA3ODyIs2BKQnAekTapgAx7LfZ5YiM20zyRq/FEVq70gUfJ
CsWARFNDKf0mXiaBaeQJsCX5Qw0bKTcsrjSQFAfMtAQ4CkCCxqcYvnftrC/kB0Rt
Pnl2lFL12SC3iBb+lX3gSzDIQeOVyvycc9rFn2T/YJfB4pQ3CI8/1xPi+Z32vuoh
gbUFAkQBes/fKQrn0LmX68YzT7h5Wasfnv7fd6q6DDCF0jBAn7qGUnxkcGXEn+DN
VTjgcGjnkL8qhVgPB9HUDBEPOYQC3tGFgmvilsI0ucUHKkaSX/wX46dF4Y51WX+K
uEo5M7zC+TiYw4TRSI2l+mIEeR9VpXKpIn8Pv5PxIDEg8GnVg6XbJM6ao1wcqD/Z
RuuSwfQ8PWFGHwxpZ4em9WyJw6HOFrJBYwUH/BYC7pU+6RrRpH0mR7UdiiPyczKn
UojcU4+fXkpwUnYQx5nrqaVmzD9zYahZWG7qbE1G76rsKMV/QiMtnZgwkiZCBCRA
b7gciXrK6hUr8C4pOOtg8wDF3/SvAN3bc0dOm4yyHtsiiHoku8OCvFVwuC0MDeI5
K4Dw85Z68jl55bgLyuJ/+2V7IHy1whq3qs9FjP5KiBpshQFS0pgAAxL0D/MWAhmc
teZiUEGUYSdtd+WFRUjS8QIDAQABo4IBDDCCAQgwHQYDVR0OBBYEFKLgZdwcd/CG
tjnfZGn60/oRwxudMB8GA1UdIwQYMBaAFHHWn/VwuPTYB2hmI9SewjTXtGvfMBIG
A1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDgGA1UdHwQxMC8wLaAr
oCmGJ2h0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tlLmNybDBoBggr
BgEFBQcBAQRcMFowNAYIKwYBBQUHMAKGKGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZy9j
ZXJ0cy9yb290X1gwRi5kZXIwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
dC5vcmcwDQYJKoZIhvcNAQENBQADggIBAJNCkmIM45AJRnrMnacwVye0ecjrKz31
BD4gTWqW71MfTB/ycwsUmFntDWetMUdvcnO9H58cI6F86WVhzIIbvRTo/MRVA7Zg
hdXIobraC1cM6X1nh+ksbgV9YPqyHvF5znD6h+A5hSUwVyTUrXE1rtv1dliJEPQJ
gu0zUpKbPUxnYDkQi35YuS77shhi0nRxul2N58QcMPibDN/deAfMnAyGpHNMNLP9
p+DlfnHxI201iVCDGB3SNezKZbGdd5Ind7ImEQzkKY43jMlI3jraLUj3IPkRkbwt
IuGal8T1mFC5r6c24eqA37kELfvMnje4EA8tQuyB0vSwKR1sZr75HvZyFatsisS0
0yVJ97Smf7vw+6Xjb9QjKW3EmLklGtAs8QnVGgNwVetMRt4iW4iAKvSzNcjwMX3s
6+8/Yw3k4pey3wZEIOUdJNEMB8/Nuf9jpadDV6/4x6MHSzIAL6sVyHmF9GMNc6yT
ig0w1IAAxu16zOqnuII+r5hj8igtdLha0OcQ8MbEZpmDYu5EIcMbKegJQjcu/ePj
GRot0cgvrABrbcXk/tEoeJ12lkN5RmNZtrjNil2ALBwpYfdsqdjDftVXF4yKUzFy
a+g26Ra2ZweTPJkHXotREn0MldC0740K6JrlDrqd7jEs/HN0AD9o/HjQUykAkOUy
MHeJqvoj9QMw
-----END CERTIFICATE-----
|
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-05-31 19:30 | alkas | New Issue | |
| 2022-05-31 19:30 | alkas | Assigned To | => jandd |
| 2022-05-31 19:30 | alkas | Tag Attached: certificates | |
| 2022-05-31 19:30 | alkas | Tag Attached: Class 3 | |
| 2022-05-31 19:30 | alkas | Tag Attached: Class 3 Root | |
| 2022-05-31 19:30 | alkas | Tag Attached: class3 | |
| 2022-05-31 19:30 | alkas | File Added: Class_3_compare.gif | |
| 2022-05-31 20:54 | alkas | Note Added: 0006113 | |
| 2022-05-31 20:54 | alkas | File Added: Class_3_compare_0Ex14E228.gif | |
| 2022-06-01 07:33 | alkas | Note Added: 0006114 | |
| 2022-06-02 14:21 | alkas | Note Added: 0006115 | |
| 2022-07-10 12:01 | jandd | Note Added: 0006128 | |
| 2022-07-10 12:01 | jandd | File Added: class3_demo.crt.txt | |
| 2022-07-10 12:02 | jandd | Assigned To | jandd => |
| 2022-07-10 12:02 | jandd | Status | new => needs review & testing |
