>From da4772f28e170d4d72b73661ee72d13375e11454 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 18 Jun 2014 01:30:07 -0400 Subject: [PATCH 2/2] Copy Extended Key Usage from CSR when present The ExtendedKeyUsageExtDefault profile policy ignores whatever Extended Key Usage appears in the certificate request, surprising Certmonger users who request a specific EKU. Update the ExtendedKeyUsageExtDefault class to extract Extended Key Usage from a CSR, if the extension appears in the request, otherwise setting the configured default EKU if the extension does not appear. As a result of this change, profile policies should now rely on ExtendedKeyUsageExtConstraint to reject CSRs with unreasonable EKU purposes. https://fedorahosted.org/freeipa/ticket/2915 --- .../cms/profile/def/ExtendedKeyUsageExtDefault.java | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java index 22f00eb940910fdd644e12f11eb3beb907cabfb2..e4d59871cbba7d39d9bde3aa6f686edd67a240d1 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java @@ -23,11 +23,13 @@ import java.util.StringTokenizer; import netscape.security.extensions.ExtendedKeyUsageExtension; import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.CertificateExtensions; import netscape.security.x509.X509CertInfo; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.profile.IProfile; import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.EPropertyException; @@ -219,7 +221,18 @@ public class ExtendedKeyUsageExtDefault extends EnrollExtDefault { */ public void populate(IRequest request, X509CertInfo info) throws EProfileException { - ExtendedKeyUsageExtension ext = createExtension(); + CertificateExtensions inExts = + request.getExtDataInCertExts(IEnrollProfile.REQUEST_EXTENSIONS); + if (inExts == null) + return; + + // read EKU from request + ExtendedKeyUsageExtension ext = (ExtendedKeyUsageExtension) + getExtension(ExtendedKeyUsageExtension.OID, inExts); + + // if no EKU in request, create default EKU extension + if (ext == null) + ext = createExtension(); addExtension(ExtendedKeyUsageExtension.OID, ext, info); } -- 1.9.3