Re: [Ejbca-develop] nameConstraints extension support in EJBCA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Arshad,
Name Constraints have indeed gotten more attention by the PKI
community lately.  EJBCA can "as is" support NCs. However, there
is *currently* no GUI support; you have to provide the data as a
DER string. Fortunately this is not overly complex to create and
here is an example of such:

 Permitted
      [1]Subtrees (0..Max):
           RFC822 Na...@ex...
      [2]Subtrees (0..Max):
           Directory Address:
                O=EXAMPLE
                C=US
 Excluded=None

This is a Java program that creates the DER code which must be code into hex in
a custom extension using the NC OID:

import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.X509Name;

import java.io.FileOutputStream;

public class KBBC
  {
    static ASN1EncodableVector v = new ASN1EncodableVector(); // this is the OtherName
    static ASN1EncodableVector vec = new ASN1EncodableVector(); // this is the inner data

    static void addRFC822 (String rfc822name) throws Exception
      {
          vec.add (new DERSequence (new GeneralName(GeneralName.rfc822Name,rfc822name)));
      }

    public static void main (String[] args) throws Exception
      {
         addRFC822 ("@example.com");
         vec.add (new DERSequence (new GeneralName(GeneralName.directoryName,new X509Name ("O=EXAMPLE,C=US"))));
          v.add (new DERTaggedObject(false, 0, new DERSequence(vec)));
          DERObject gn = new DERSequence (v);
          FileOutputStream fos = new FileOutputStream (args[0]);
          fos.write (gn.getDEREncoded ());
          fos.close ();
       }
  }

Regards,
Anders Rundgren
tech support

On 2012-05-24 22:14, Arshad Noor wrote:
> Hi,
> 
> Not sure if I'm reading this correctly, but does EJBCA have support
> for issuing/understanding certificates with the nameConstraints (OID
> 2.5.29.30) extension in them, so it can only issue certificates that
> conform to the constraint?  I don't see any reference to this
> constraint in its documentation.
> 
> I did find an old e-mail that seems to indicate that PrimeKey does
> NOT recommend this extension:
> 
> http://osdir.com/ml/java.ejbca.devel/2006-02/msg00092.html
> 
> Unfortunately, because of all the problems recently with CAs being
> compromised, TTP CAs are now planning to enforce the use of this
> extension to limit their liability.  However, the CA software must
> be able to support the use of the constraint and check all CSRs to
> see if the constraint is satisfied before issuing the certificate.
> I'm unable to find anything in EJBCA docs that indicate this is
> supported; can someone please provide some clarification?  Thanks.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop