Menu
▾
▴
Re: [Ejbca-develop] OCSP Key Binding is always expecting KU extension for OCSP signer certificate
|
From: Jaime H. <hab...@gm...> - 2018-11-21 18:19:34
|
I actually don't know if there are clients requiring this extension, sorry, but if there are, (according to the previously mentioned standards) they would be at fault. Anyway, I think that EJBCA should not demand for the KU in the OCSP signer certificate when trying to setup a OCSP Key Binding to be standards compliant and if there is any CA operator expecting the usage of a client that does require this extension, they could always install a certificate that includes it. On Wed, Nov 21, 2018 at 2:03 AM Tomas Gustavsson <to...@pr...> wrote: > Good notice. > > We know from before that some client (browsers?) used to require the use > of digitalSignature keyUsage. Cna you confirm that this is not required > by the clients? > > Regards, > Tomas > --- > PrimeKey Solutions AB > Solna Access Plan A8, > Sundbybergsvägen 1, 171 63 Solna, Sweden > Mob: +46 (0)707421096 > Internet: https://www.primekey.se/ > Twitter: twitter.com/primekeyPKI > > On 2018-11-21 01:28, Jaime Hablutzel wrote: > > In EJBCA 6.10.1.2, if you try to configure an OCSP Key Binding with an > > OCSP signer certificate without the KU extension, it fails like this: > > > > *Caused by: java.lang.NullPointerException > > at > > > org.cesecore.keybind.impl.OcspKeyBinding.assertCertificateCompatabilityInternal(OcspKeyBinding.java:234)* > > at > > > org.cesecore.keybind.impl.OcspKeyBinding.assertCertificateCompatability(OcspKeyBinding.java:117) > > at > > > org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.assertCertificateIsOkToImport(InternalKeyBindingMgmtSessionBean.java:912) > > at > > > org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.importCertificateForInternalKeyBinding(InternalKeyBindingMgmtSessionBean.java:768) > > > > Because of the following highlighted code: > > > > private static void assertCertificateCompatabilityInternal(final > > Certificate certificate, AvailableExtendedKeyUsagesConfiguration > > ekuConfig) throws CertificateImportException { > > ... > > if (!*x509Certificate.getKeyUsage()[0]* && > > !x509Certificate.getKeyUsage()[1] ) { > > throw new CertificateImportException("Key Usage > > digitalSignature is required (nonRepudiation would also be accepted)."); > > } > > ... > > } > > > > But PKIX profile doesn't require this extension for OCSP signer > > certificates, only for CA and CRL signers. From RFC 5280, "4.2.1.3. Key > > Usage": > > > > Conforming CAs *MUST include this extension in certificates* that > > contain public keys that are used *to validate digital signatures > on > > other public key certificates or CRLs*. > > > > > > In the other hand, RFC 6960, doesn't say anything about the KU extension. > > > > So the previous code should maybe change to something like: > > > > if (*x509Certificate.getKeyUsage() != null* && > > !x509Certificate.getKeyUsage()[0] && !x509Certificate.getKeyUsage()[1]) { > > throw new CertificateImportException("Key Usage digitalSignature is > > required (nonRepudiation would also be accepted)."); > > } > > > > PS: I've been unable to check if this behavior continue in the current > > SVN trunk version because SVN repository seems to be down. > > > > -- > > Jaime Hablutzel - RPC 994690880 > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- Jaime Hablutzel - RPC 994690880 |
