Peter Sylvester wrote:
A test tool that wants to distingusih 'CA certficates, CRLsigners and EE certs':(CA certficates in the meaning: It can sign certificates). IMO the way to proceed is: A CA cert is one that has keyusage=keyCertSign If not; If it has CRLsign, then it is a CRL signer else it is an EE cert. One does not use basicconstrints to distinguish these types.
There's a pair of aspects missing from your description .The interface of the tools enable to specify which of the tree types the input is. There's also an option "Auto-Detect" which as any "Auto-Detect" option will do it's best effort to determine the right type. That option is guaranteed to give the right result for any valid Certificate Signer, CRL Signers or EE Cert. But when confronted with a cert that has CA=True but no Cert signing and no CRL signing in key usage and therefore is :
- not a valid Certificate Signer - not a valid CRL Signer - not a valid EE Certthe one Auto-Detect will pick is a random choice, knowing that the tool will report the cert is invalid and therefore rejected.
This is my main point Peter. The Auto-Detect option is inadequate for such a certificate. When the cert is invalid, how could anybody *know for sure* what the person producing it intended to do ? Therefore there's no reason to care as much as you do for the result, Auto-Detect is a convenience but just don't use it when a predictable result is really important.