[Ejbca-develop] OCSP Key Binding is always expecting KU extension for OCSP signer certificate

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

In EJBCA 6.10.1.2, if you try to configure an OCSP Key Binding with an OCSP
signer certificate without the KU extension, it fails like this:

*Caused by: java.lang.NullPointerException        at
org.cesecore.keybind.impl.OcspKeyBinding.assertCertificateCompatabilityInternal(OcspKeyBinding.java:234)*
        at
org.cesecore.keybind.impl.OcspKeyBinding.assertCertificateCompatability(OcspKeyBinding.java:117)
        at
org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.assertCertificateIsOkToImport(InternalKeyBindingMgmtSessionBean.java:912)
        at
org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.importCertificateForInternalKeyBinding(InternalKeyBindingMgmtSessionBean.java:768)

Because of the following highlighted code:

private static void assertCertificateCompatabilityInternal(final
Certificate certificate, AvailableExtendedKeyUsagesConfiguration ekuConfig)
throws CertificateImportException {
...
        if (!*x509Certificate.getKeyUsage()[0]* &&
!x509Certificate.getKeyUsage()[1] ) {
            throw new CertificateImportException("Key Usage
digitalSignature is required (nonRepudiation would also be accepted).");
        }
...
}

But PKIX profile doesn't require this extension for OCSP signer
certificates, only for CA and CRL signers. From RFC 5280, "4.2.1.3.  Key
Usage":

 Conforming CAs *MUST include this extension in certificates* that
>    contain public keys that are used
> *to validate digital signatures on   other public key certificates or CRLs*
> .

In the other hand, RFC 6960, doesn't say anything about the KU extension.

So the previous code should maybe change to something like:

if (*x509Certificate.getKeyUsage() != null* &&
!x509Certificate.getKeyUsage()[0] && !x509Certificate.getKeyUsage()[1]) {
    throw new CertificateImportException("Key Usage digitalSignature is
required (nonRepudiation would also be accepted).");
}

PS: I've been unable to check if this behavior continue in the current SVN
trunk version because SVN repository seems to be down.

-- 
Jaime Hablutzel -  RPC 994690880