problem signing a certificate for timestamping

[evantill]

according to RFC3161 sec 2.3 when signing a certificate for a time stamping usage, the extended key usage Time Stamping must be critical.

id-kp-timeStamping. This extension MUST be critical.

But actually, this is not the case and trying to use openssl cause an error invalid signer certificate purpose.

139934436660480:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:275:group=tsa_config1 name=crypto_device
139934436660480:error:2F083075:time stamp routines:TS_RESP_CTX_set_signer_cert:invalid signer certificate purpose:../crypto/ts/ts_rsp_sign.c:152:

we are using the latest docker image cfssl/cfssl

cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.8.1

[evantill]

Did I miss something to configure to change the behavior of cfssl ? Or is this a bug ?

[evantill]

what do you think about adding a critical_usages field in the profiles to list all keys that we request to be flagged as critical extensions ?

"timestamping": {
    "usages": [
        "timestamping",
        "digital signature",
        "content committment"                 
    ],
    "critical_usages": [
        "timestamping"              
    ],
    "expiry": "87600h"
 },

or something closer to openssl configuration, prefixing the usage key with the criticalkey word and a comma :

"timestamping": {
    "usages": [
        "critical,timestamping",
        "digital signature",
        "content committment"                 
    ],
    "expiry": "87600h"
 },

[evantill]

here are my tests to find a solution gist

The problem is that the go crypto does not seems to make it possible by design.

In the first case we need to copy some code of x509 for our need.

In the second case, the trick is to Create the certificate to compute the extension for us.

not sure how to proceed now...