Closed Bug 991902 Opened 6 years ago Closed 6 years ago

Previously working self signed cert gives SEC_ERROR_INADEQUATE_KEY_USAGE

Categories

(Core :: Security: PSM, defect)

31 Branch
x86_64
macOS
defect
Not set

Tracking

()

RESOLVED INVALID

People

(Reporter: camden.narzt, Unassigned)

References

()

Details

Attachments

(2 files)

4.13 KB, application/x-x509-ca-cert
Details
3.94 KB, application/x-x509-ca-cert
Details
Attached file cacert.pem
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140306171728

Steps to reproduce:

Loaded up previously working development webpage which is served with https, using a key/cert generated by a self signed CA which is in the trusted CA cert list.


Actual results:

Get SEC_ERROR_INADEQUATE_KEY_USAGE error.


Expected results:

No error.
Attached file newcert.pem
This is the cert for the page itself.
Hardware: x86 → x86_64
Component: Untriaged → Security: PSM
Product: Firefox → Core
We are now more strict on our validations. Your CA cert has and EKU but is NOT asserting  keyCertSign (it is asserting Digital Signature, Non Repudiation, Key Encipherment). Therefore when following http://tools.ietf.org/html/rfc5280#section-4.2.1.3 you will notice that:

"
If the keyUsage extension is present, then the subject public key
   MUST NOT be used to verify signatures on certificates or CRLs unless
   the corresponding keyCertSign or cRLSign bit is set.
"

dkeeler I think this shuld be closed as invalid.
Flags: needinfo?(dkeeler)
Just to be clear, I think you typed "EKU" when you meant "KU", but yes, I agree.
(Cam - thanks for filing this bug. "INVALID" is a harsh way of saying "not a bug".)
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.