cacert/cacert-webdb
9
0
Fork 0
Code Issues Pull requests 3 Projects Releases 4 Wiki Activity

Fix for https://bugs.cacert.org/view.php?id=540

Browse source 
No key usage attribute in cacert org certs anymore?
This commit is contained in:
Wytze van der Raay 2012-07-27 16:00:29 +00:00
parent 1d69ee1289
commit 69d5019f12
2 changed files with 56 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
CommModule/server.pl
View file

@ -502,9 +502,28 @@ sub SignX509($$$$$$$$)
{ {
open OUT,">$wid/extfile"; open OUT,">$wid/extfile";
print OUT "basicConstraints = critical, CA:FALSE\n"; print OUT "basicConstraints = critical, CA:FALSE\n";
print OUT "keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement\n";
print OUT "extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC\n"; print OUT "extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC\n";
print OUT "keyUsage = digitalSignature, keyEncipherment\n";
print OUT "authorityInfoAccess = OCSP;URI:$OCSPUrl\n"; print OUT "authorityInfoAccess = OCSP;URI:$OCSPUrl\n";
my $CRLUrl="";
if($root==0)
{
$CRLUrl="http://crl.cacert.org/revoke.crl";
}
elsif($root==1)
{
$CRLUrl="http://crl.cacert.org/class3-revoke.crl";
}
elsif($root==2)
{
$CRLUrl="http://crl.cacert.org/class3s-revoke.crl";
}
else
{
$CRLUrl="http://crl.cacert.org/root${root}.crl";
}
print OUT "crlDistributionPoints = URI:${CRLUrl}\n";
print OUT "subjectAltName = $san\n" if(length($san)); print OUT "subjectAltName = $san\n" if(length($san));
close OUT; close OUT;
$extfile=" -extfile $wid/extfile "; $extfile=" -extfile $wid/extfile ";

76
www/policy/CertificationPracticeStatement.php
View file

@ -69,7 +69,7 @@ a:hover {
<a href="PolicyOnPolicy.html"><img src="cacert-draft.png" alt="CAcert Policy Status" height="31" width="88" style="border-style: none;" /></a><br /> <a href="PolicyOnPolicy.html"><img src="cacert-draft.png" alt="CAcert Policy Status" height="31" width="88" style="border-style: none;" /></a><br />
Creation date: 20060726<br /> Creation date: 20060726<br />
Status: DRAFT p20091108<br /> Status: DRAFT p20091108<br />
<!-- $Id: CertificationPracticeStatement.php,v 1.2 2011/07/27 10:41:01 wytze Exp $ --> <!-- $Id: CertificationPracticeStatement.php,v 1.3 2012/07/27 16:00:29 wytze Exp $ -->
<font size="-1"> <font size="-1">
@ -3203,54 +3203,50 @@ The form of the PGP signatures depends on several factors, therefore no stipulat
<h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4> <h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
<p> <p>
Client certificates include the following extensions:. Client certificates include the following extensions:
</p> </p>
<ul><li> <ul>
basicConstraints=CA:FALSE (critical) <li>basicConstraints=CA:FALSE (critical)</li>
</li><li> <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
keyUsage=digitalSignature,keyEncipherment,cRLSign <li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
</li><li> <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
</li><li> <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC with the URI where the certificate revocation list relating to the
</li><li> certificate is found</li>
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
</li><li> </ul>
subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
</li></ul>
<ul class="q"> <ul class="q">
<li> what about Client Certificates Adobe Signing extensions ?</li> <li> what about Client Certificates Adobe Signing extensions ?</li>
<li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li> <li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
</ul> </ul>
<p>
Server certificates include the following extensions:
</p>
<ul>
<li>basicConstraints=CA:FALSE (critical)</li>
<li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
<li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
<li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
<li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
with the URI where the certificate revocation list relating to the
certificate is found</li>
<li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
</ul>
<p> <p>
Server certificates include the following extensions: Code-Signing certificates include the following extensions:
</p> </p>
<ul><li> <ul>
basicConstraints=CA:FALSE (critical) <li>basicConstraints=CA:FALSE (critical)</li>
</li><li> <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
keyUsage=digitalSignature,keyEncipherment <li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
</li><li> <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
</li><li> with the URI where the certificate revocation list relating to the
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org certificate is found</li>
</li><li> <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>). </ul>
</li></ul>
<p>
Code-Signing certificates include the following extensions:
</p>
<ul><li>
basicConstraints=CA:FALSE (critical)
</li><li>
keyUsage=digitalSignature,keyEncipherment
</li><li>
extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
</li><li>
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
</li></ul>
<ul class="q"> <ul class="q">
<li> what about subjectAltName for Code-signing</li> <li> what about subjectAltName for Code-signing</li>
</ul> </ul>