Re: [Ejbca-develop] OCSP Key Binding is always expecting KU extension for OCSP signer certificate

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I created this issue and fixed it:
https://jira.primekey.se/browse/ECA-7547

Thanks for the report.

Used your simple fix in OcspKeyBinding.java

            if (x509Certificate.getKeyUsage() != null &&
!x509Certificate.getKeyUsage()[0] && !x509Certificate.getKeyUsage()[1] ) {
                throw new CertificateImportException("Key Usage
digitalSignature is required (nonRepudiation would also be accepted).");
            }

Regards,
Tomas

On 2018-11-21 01:28, Jaime Hablutzel wrote:
> In EJBCA 6.10.1.2, if you try to configure an OCSP Key Binding with an
> OCSP signer certificate without the KU extension, it fails like this:
> 
> *Caused by: java.lang.NullPointerException
>         at
> org.cesecore.keybind.impl.OcspKeyBinding.assertCertificateCompatabilityInternal(OcspKeyBinding.java:234)*
>         at
> org.cesecore.keybind.impl.OcspKeyBinding.assertCertificateCompatability(OcspKeyBinding.java:117)
>         at
> org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.assertCertificateIsOkToImport(InternalKeyBindingMgmtSessionBean.java:912)
>         at
> org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.importCertificateForInternalKeyBinding(InternalKeyBindingMgmtSessionBean.java:768)
> 
> Because of the following highlighted code:
> 
> private static void assertCertificateCompatabilityInternal(final
> Certificate certificate, AvailableExtendedKeyUsagesConfiguration
> ekuConfig) throws CertificateImportException {
> ...
>         if (!*x509Certificate.getKeyUsage()[0]* &&
> !x509Certificate.getKeyUsage()[1] ) {
>             throw new CertificateImportException("Key Usage
> digitalSignature is required (nonRepudiation would also be accepted).");
>         }
> ...
> }
> 
> But PKIX profile doesn't require this extension for OCSP signer
> certificates, only for CA and CRL signers. From RFC 5280, "4.2.1.3.  Key
> Usage":
> 
>      Conforming CAs *MUST include this extension in certificates* that
>        contain public keys that are used *to validate digital signatures on
>        other public key certificates or CRLs*.
> 
> 
> In the other hand, RFC 6960, doesn't say anything about the KU extension.
> 
> So the previous code should maybe change to something like:
> 
> if (*x509Certificate.getKeyUsage() != null* &&
> !x509Certificate.getKeyUsage()[0] && !x509Certificate.getKeyUsage()[1]) {
>     throw new CertificateImportException("Key Usage digitalSignature is
> required (nonRepudiation would also be accepted).");
> }
> 
> PS: I've been unable to check if this behavior continue in the current
> SVN trunk version because SVN repository seems to be down.
> 
> -- 
> Jaime Hablutzel -  RPC 994690880
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 