An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
The check for digitalSignature in cmp_verify might ignore that the CMP server certificate might not need to include the key usage extension - if the CMP server certificate is not a CA or CRL-issuing certificate.
cmp_vfy.c:
47 / verify that keyUsage, if present, contains digitalSignature /
48 if (!cmp_ctx->ignore_keyusage &&
49 !(X509_get_key_usage((X509 *)cert) & X509v3_KU_DIGITAL_SIGNATURE)) {
50 CMPerr(CMP_F_CMP_VERIFY_SIGNATURE, CMP_R_WRONG_KEY_USAGE);
51 goto cert_err;
Conforming CAs MUST include this extension in certificates that
contain public keys that are used to validate digital signatures on
other public key certificates or CRLs. When present, conforming CAs
SHOULD mark this extension as critical.
The check for digitalSignature in cmp_verify might ignore that the CMP server certificate might not need to include the key usage extension - if the CMP server certificate is not a CA or CRL-issuing certificate.
cmp_vfy.c: 47 / verify that keyUsage, if present, contains digitalSignature /
48 if (!cmp_ctx->ignore_keyusage &&
49 !(X509_get_key_usage((X509 *)cert) & X509v3_KU_DIGITAL_SIGNATURE)) {
50 CMPerr(CMP_F_CMP_VERIFY_SIGNATURE, CMP_R_WRONG_KEY_USAGE);
51 goto cert_err;
RFC 5280 section 4.2.1.3 does not mandate that the extension is always present.
Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When present, conforming CAs SHOULD mark this extension as critical.