Bug 509481 - RFE: support sMIMECapabilities extensions in certificates (RFC 4262)
RFE: support sMIMECapabilities extensions in certificates (RFC 4262)
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: CA (Show other bugs)
unspecified
All Linux
high Severity medium
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
ftp://ftp.rfc-editor.org/in-notes/rfc...
: FutureFeature
Depends On:
Blocks: 530474 445047
  Show dependency treegraph
 
Reported: 2009-07-02 22:47 EDT by Nelson Bolyard
Modified: 2015-01-04 18:39 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 15:53:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
a dual-use user cert profile with S/MIME capabilities extension (6.62 KB, text/plain)
2010-11-11 17:50 EST, Christina Fu
cfu: review? (awnuk)
Details

  None (edit)
Description Nelson Bolyard 2009-07-02 22:47:55 EDT
RFC 4262 defines a new certificate extension which is merely an  
sMIMECapabilities SEQUENCE, just like the one put into a signed S/MIME email.
Microsoft's Certificate Server product puts these extensions into S/MIME
encryption certs that it issues.  DogTag should fully support them. 

This certificate extension has an identifying OID of
   sMIMECapabilities (1 2 840 113549 1 9 15) 
and the OCTET STRING encapsulates a data structure that is identical to 
the data structure of the SMIMECapabilities attribute defined in RFC 3851.
Comment 1 Christina Fu 2009-10-20 20:01:18 EDT
Nelson,
Is this extension widely used by major applications?  thanks.
Comment 2 Nelson Bolyard 2009-10-20 22:30:29 EDT
Microsoft email software uses them.  Don't know about any other MUAs or MTAs,
but a CA product that doesn't support them will probably be locked out of 
shops that are predominately MS outlook.
Comment 8 Marc Sauton 2010-08-27 14:07:46 EDT
There is a way to "partially" accomplish this:
Use the GenericExtDefault extension defined in the profile framework (I initially searched for GenericASN1Ext which should not be used)

It is defined in
pki/base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java:   
public GenericExtDefault() {

Create a custom profile like:

desc=testms.GenericExtDefault
visible=true
enable=true
enableBy=admin
name= testms.GenericExtDefault ManualUserDualSignEnc
auth.class_id=
input.list=i1,i2,i3
input.i1.class_id=dualKeyGenInputImpl
input.i2.class_id=subjectNameInputImpl
input.i3.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=encryptionCertSet,signingCertSet
...
policyset.signingCertSet.list=1,2,3,4,6,7,8,9,gen
...
policyset.signingCertSet.gen.constraint.class_id=noConstraintImpl
policyset.signingCertSet.gen.constraint.name=No Constraint
policyset.signingCertSet.gen.default.class_id=genericExtDefaultImpl
policyset.signingCertSet.gen.default.name=Generic Extension
policyset.signingCertSet.gen.default.params.genericExtOID=1.2.840.113549.1.9.15
policyset.signingCertSet.gen.default.params.genericExtData=30673...snip...0101

The "issue" is the data till has to be generated "manually".
Like with an openssl SMIME-CAPS definition for ASN1:SEQUENCE to define S/MIME Capabilities in openssl.cnf or with a openssl asn1parse command

Then I can enroll for a signing cert, and can sign e-mails with a mail client.

Generating the ASN1 DER encoded sequence for S/MIME capabilities may not be trivial when creating the profiles, or may be need by agents during enrollment, which is not very convenient.
That second part should probably have some kind of improved support.
Comment 18 Christina Fu 2010-11-11 19:47:32 EST
TIP

$ svn commit
Sending        ca/shared/conf/CS.cfg
Adding         ca/shared/profiles/ca/caUserSMIMEcapCert.cfg
Transmitting file data ..
Committed revision 1495.
Comment 19 Marc Sauton 2010-11-11 19:58:11 EST
added
bz 652482 - rhcs80 pki-java-tools ExtJoiner java.io.IOException: extra DER value data (constructor)

for comment 16

Note You need to log in before you can comment on or make changes to this bug.