-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Indunil,
On 2/1/18 7:33 AM, Indunil Rathnayake wrote: > I have configured a tomcat connector for handling requests for a > particular servlet and have configured a trust store for the > connector. Anyone knows whether tomcat handles validation of "Key > Usage" and "Extended Key Usage" extensions in client certificates? > And how it's handled through tomcat(is it through the tomcat > connector)? > > Appreciate your help on this. Are you interested in making sure that Tomcat verifies that the certificate is e.g. allowed to be used for TLS client authentication? I'm fairly sure Tomcat does not currently verify any of the key-usage fields on a certificate. The assumption is that if a trusted CA doesn't think a key should be used for authentication, then the CA should not sign that certificate. But it's reasonable to imagine a scenario where a code-signing certificate signed by a CA could be "illegally" used as a TLS client certificate, and in that case, Tomcat would allow the handshake. It seems reasonable for Tomcat to verify that any "critical" key-use extensions are respected, and perhaps even some non-critical ones. Is this what you had in mind? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpz46oACgkQHPApP6U8 pFiqiBAAmL6qk1g+TOSgsy9fvs7E540l8fuAk3jQ7l0z/uy9hOIUw6yYjvMorabG MWmc6VLRJ95y1ALbmW/olEGVZ4SHihdnmlJbkZ8AqiKBQtaz6fWKXcGdYymlnoE5 jTye1XLBjk7lyhOWoP6bW315Bg+LI62gzUoFukphcmEQwE9CkpzVEJtpnfXpuCuf xJl0sh8oTKaU+Fsy4nW4HITSmuVHNEaoKseKCRSjDe1z4pc1NG9n5QN4Ij5TX53o JLIqv3c8dpyIO2+brIoc+KvXBNVBngaDsiDbJszGdhDICsIoz0andxHwzQRLoqtu 4I5eLpO/qbGNk10Kl/TRamnIUw+t79NsE+WeAbwX30zkEPkApb7rJ6M4g6haQPg5 wSaka+FLy/zdlNVzBw6iiJla4UiLtzlVXYUlCCC/j/cs+aV0A2ilsUYZNUrLMB3F No77FxDt+bo6v8U2JqS4AU6N/5ktNVRfpwcDWQrNT1TTWFdOMzqxI1NVSm08hmwM FrBaO6dL6ZikaB2x1Xb3STyGKb3t03R/AqI/CQpxUus9a/0AHVMNM8ru+gnB8kJu TCkjE3+Tu3Uh+wLzR8bTkqpecFtLNV3Lf6I6k+FrbLb3XBWW7EBpTx3yeKbCij7X rHigCnOMO/Np3YE6Ttuepja0poEYdLo+yGbaKxZQubIjVfPMmjU= =e5q4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
