Inconsistency in X509v3 Key Usage between gcr-viewer and openssl
I created a client certificate with
openssl req -new -newkey rsa:4096 -nodes -rand /dev/random -keyout client.key -out client.csr -sha512 -subj '/CN=client' -addext basicConstraints=critical,CA:TRUE,pathlen:1
openssl x509 -req -days 1095 -sha512 -in client.csr -signkey client.key -out client.crt -extfile <(printf "basicConstraints=CA:TRUE,pathlen:1\nkeyUsage=ASN1:FORMAT:HEX,BITSTRING:84
\nextendedKeyUsage=clientAuth")
The resulting client certificate is displayed differently by openssl x509 -in cert.crt -text -noout
and by gcr-viewer
:
The difference being that the keyUsage X.509 extension which is stored as OCTET STRING (1 elem) BIT STRING (8 bit) 10000100 is displayed as Digital Signature, Certificate Sign by openssl as specified by https://tools.ietf.org/html/rfc5280#section-4.2.1.3 gcr-viewer however displays this same certificate as having keyUsage Key encypherment.
This was tested with
$ openssl version
OpenSSL 1.1.1 11 Sep 2018
$ gcr-viewer --version
GCR Certificate and Key Viewer -- 3.28.0
I also tested this with the latest release 3.36.0 and the result was the same.