evantill
October 13, 2017, 1:06pm
1
Hi,
I need to create a timestamping server authority. To do so, I need a certificate with the “timestamping” extension. I am trying to use cfssl to do that.
That was not the case in the certificate created with cfssl. I opened an issue cfssl#815
But searching in the code for creating a PR, I have a doubt :
Is it possible to define an extended key usage as critical ?
i have searched over the past few days but could not find how…
Note: According to RFC3161 sec 2.3 when signing a certificate for a time stamping usage, the extended key usage Time Stamping must be critical.
id-kp-timeStamping. This extension MUST be critical.
evantill
October 13, 2017, 1:19pm
2
if I understood the code in x509/buildExtensions(), Critical flag can not be set on extended key usage
}
bitString := a[:l]
ret[n].Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
if err != nil {
return
}
n++
}
if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
!oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
ret[n].Id = oidExtensionExtendedKeyUsage
var oids []asn1.ObjectIdentifier
for _, u := range template.ExtKeyUsage {
if oid, ok := oidFromExtKeyUsage(u); ok {
oids = append(oids, oid)
} else {
panic("internal error")
}
evantill
October 13, 2017, 1:49pm
3
There is the 13739 issue but it does not seems related.
evantill
October 14, 2017, 1:22pm
4
I found a solution on how to proceed but seems ugly…
main_critical_extendedkeyusage_timestamping.go
/*
from https://golang.org/src/crypto/tls/generate_cert.go
*/
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build ignore
show original
output
GOROOT=/usr/local/Cellar/go/1.9.1/libexec #gosetup
GOPATH=/Users/xxx/go #gosetup
/usr/local/Cellar/go/1.9.1/libexec/bin/go build -i -o /private/var/folders/s_/kn50fvmn61v53vr7dl60555w0000gn/T/___Helloworld_go /xxx/Helloworld.go #gosetup
/private/var/folders/s_/kn50fvmn61v53vr7dl60555w0000gn/T/___Helloworld_go #gosetup
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 156945250069439809349760344902584329812 (0x76128e40a37f54aa4516d336eb456654)
Signature Algorithm: ECDSA-SHA256
Issuer: O=Acme Coshow original
Is there a better way ?
system
January 12, 2018, 1:23pm
5
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.