Menu
▾
▴
Re: [Ejbca-develop] OCSP Key Binding is always expecting KU extension for OCSP signer certificate
|
From: Tomas G. <to...@pr...> - 2018-11-21 07:02:49
|
Good notice. We know from before that some client (browsers?) used to require the use of digitalSignature keyUsage. Cna you confirm that this is not required by the clients? Regards, Tomas --- PrimeKey Solutions AB Solna Access Plan A8, Sundbybergsvägen 1, 171 63 Solna, Sweden Mob: +46 (0)707421096 Internet: https://www.primekey.se/ Twitter: twitter.com/primekeyPKI On 2018-11-21 01:28, Jaime Hablutzel wrote: > In EJBCA 6.10.1.2, if you try to configure an OCSP Key Binding with an > OCSP signer certificate without the KU extension, it fails like this: > > *Caused by: java.lang.NullPointerException > at > org.cesecore.keybind.impl.OcspKeyBinding.assertCertificateCompatabilityInternal(OcspKeyBinding.java:234)* > at > org.cesecore.keybind.impl.OcspKeyBinding.assertCertificateCompatability(OcspKeyBinding.java:117) > at > org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.assertCertificateIsOkToImport(InternalKeyBindingMgmtSessionBean.java:912) > at > org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.importCertificateForInternalKeyBinding(InternalKeyBindingMgmtSessionBean.java:768) > > Because of the following highlighted code: > > private static void assertCertificateCompatabilityInternal(final > Certificate certificate, AvailableExtendedKeyUsagesConfiguration > ekuConfig) throws CertificateImportException { > ... > if (!*x509Certificate.getKeyUsage()[0]* && > !x509Certificate.getKeyUsage()[1] ) { > throw new CertificateImportException("Key Usage > digitalSignature is required (nonRepudiation would also be accepted)."); > } > ... > } > > But PKIX profile doesn't require this extension for OCSP signer > certificates, only for CA and CRL signers. From RFC 5280, "4.2.1.3. Key > Usage": > > Conforming CAs *MUST include this extension in certificates* that > contain public keys that are used *to validate digital signatures on > other public key certificates or CRLs*. > > > In the other hand, RFC 6960, doesn't say anything about the KU extension. > > So the previous code should maybe change to something like: > > if (*x509Certificate.getKeyUsage() != null* && > !x509Certificate.getKeyUsage()[0] && !x509Certificate.getKeyUsage()[1]) { > throw new CertificateImportException("Key Usage digitalSignature is > required (nonRepudiation would also be accepted)."); > } > > PS: I've been unable to check if this behavior continue in the current > SVN trunk version because SVN repository seems to be down. > > -- > Jaime Hablutzel - RPC 994690880 > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
