TE
TechEcho
Home24h TopNewestBestAskShowJobs
GitHubTwitter
Home

TechEcho

A tech news platform built with Next.js, providing global tech news and discussions.

GitHubTwitter

Home

HomeNewestBestAskShowJobs

Resources

HackerNews APIOriginal HackerNewsNext.js

© 2025 TechEcho. All rights reserved.

Go's crypto/x509 package ignores KeyUsage status flags

3 pointsby mos_6502over 2 years ago

1 comment

mos_6502over 2 years ago
<i>KeyUsage status flags are ignored.<p>From Engineering Security, Peter Gutmann:<p>A European government CA marked its signing certificates as being valid for encryption only, but no-one noticed.<p>Another European CA marked its signature keys as not being valid for signatures.<p>A different CA marked its own trusted root certificate as being invalid for certificate signing.<p>Another national CA distributed a certificate to be used to encrypt data for the country’s tax authority that was marked as only being usable for digital signatures but not for encryption.<p>Yet another CA reversed the order of the bit flags in the keyUsage due to confusion over encoding endianness, essentially setting a random keyUsage in certificates that it issued.<p>Another CA created a self-invalidating certificate by adding a certificate policy statement stipulating that the certificate had to be used strictly as specified in the keyUsage, and a keyUsage containing a flag indicating that the RSA encryption key could only be used for Diffie-Hellman key agreement.</i>