Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate with only 'Digital Signature' Key Usage not accepted #538

Open
bashtheshell opened this issue Oct 5, 2023 · 2 comments
Open

Certificate with only 'Digital Signature' Key Usage not accepted #538

bashtheshell opened this issue Oct 5, 2023 · 2 comments

Comments

@bashtheshell
Copy link

This issue is related to #436 where I initially commented. I was asked to create a new issue instead.

I tried using the certificates from Let's Encrypt so that I can ship encrypted HEPs to Homer, but with hepgen.js (which is an incredible test tool by the way!), I keep getting the following error: Error: key usage does not include certificate signing. openssl s_client reported 32 (key usage does not include certificate signing). I've tried different permutations of cert.pem, chain.pem, and fullchain.pem. None of them worked as I have expected the latter to be the most appropriate choice.

I was going crazy for a moment as I read that some certs won't be supported in some server configurations until I was able to confirm the feasibility with the help of ChatGPT. I created a proof-of-concept using minimal Golang code to run a non-HTTP server, which make use of Let's Encrypt certs, that receives plaintext (the message would be encrypted while in motion, of course) from a client using TLS.

I simply do not understand why we must use a private CA or why we must succumb to disabling TLS verification on the client's side. Is it a typical configuration to use a private CA for heplify-server?

If I've overlooked a solution that's been under my nose, then please point me in the right direction (thanks in advance). I've been on this issue for weeks now, but I'm out of time trying to put together a quick solution, and I've to move on to my next tasks.
@lmangani lmangani mentioned this issue Jan 10, 2025
Closed
@womblep
Copy link

womblep commented Jan 12, 2025

@lmangani @negbie
It would be useful for some cases to have the TLS configuration able to detect if the cert configured using TLSCertFolder has the keyCertSign bit set in the key usage extension.
If it does then the current process can be followed, if it doesn't then the certificate loaded is used as the certificate for TLS and no new one is generated.
This functionality would be contained probably in https://github.com/negbie/cert which does the TLS load and generate. I am not sure if that code is a part of Homer or separate.

@womblep
Copy link

womblep commented Jan 12, 2025

I dont know golang at all so I cant provide a PR but I think this logic would work.
If the function CertificateAuthorityFromFile in cert.go did the check for the key usage and if it was not a CA cert, then:

  1. store the cert in the CertificateAuthority against the defaultServerName()
  2. store the cert in the CertiifcateAuthority against whatever is in the common name of the certificate

That way the code in GetCertificate would detect a previously stored cert and return it rather than generating a new one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bashtheshell @womblep