Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server
Hi, On 2 February 2018 at 19:55, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 2/2/18 5:35 AM, Mark Thomas wrote: > > On 02/02/18 04:06, Christopher Schultz wrote: > > > > > > > >> It seems reasonable for Tomcat to verify that any "critical" > >> key-use extensions are respected, and perhaps even some > >> non-critical ones. > > > > I'd assume that JSSE / OpenSSl do this automatically. Is there any > > evidence that they do not? > > Sorry, I meant to say that Tomcat should probably perform those checks > if the underlying TLS handler is not already doing them, or instruct > the underlying handler to perform those checks if they are not already > being done and can be done during the handshake. > Thanks.. Appreciate if you can share some reference for how we can enable this validation through a tomcat handler. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlp0dNodHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFioMQ/8CjEoj/JLUblsMIOF > m/tQ3UuuNz1s1vxfpHUWCI1BRIGmu4fGYnKmjaFuGn2iHVpt7lMjOreXkHNtkVdP > g7oPbdihGkltIOrj4ayiZXNMH40fMRRHNqQEITKMR+u9f0smqzJB3A2YYcO9qvtH > MDv/Vg1c2f5btWDfXj9FV5rwbtrMbJSFrwDg0mOTOEoZMjtr3FCxbT8XfMseGE85 > a7WCEljodU64ef5F0tbsj4KQqNFcVkkpI8YpGni1y9suDFyeN2JXeVJUJRK2f28A > 55HIQvhVvWU3d+c2ZfQQJiY1XJ7Feg+54rczXXusfIxMd/zQxvptdMlzRjkss5Rg > 7MzrpO3NDPmDadAeTw0pDAAhUzWVn/BlGlb7hioXkU/lJR/PzN03DbiVdC6HBquj > 0f0rV53MhS28SmhU1GCLex1kyDqlRfcqpd0QD+Yyi/WgcnVR4lr60brdu8WquvuQ > qT5jtT/tSZHImMGGGnVxE0Fg0wZaSdBf9tA9NqNAYUXsoMituRTeDQoL9DeIPs0F > QDnURxtOTfkhmtq/wYeZSqzoPZGdSyfTT6quOugVeECrLkT7lZQHetGLIwlNVuRY > gP17H521N46dysVe/Qec1o+7FTJsJ7eQ/nEtJVnCI8PPJBT3XITB+LDaHEc5XNSH > BUB6HOt4pNpncpdWSO8o1HgDNfc= > =EEgh > -END PGP SIGNATURE- > > --------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *Indunil Rathnayake * *Faculty of Information Technology* *University of Moratuwa.*
Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server
Hi Chris, On 2 February 2018 at 09:36, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Indunil, > > On 2/1/18 7:33 AM, Indunil Rathnayake wrote: > > I have configured a tomcat connector for handling requests for a > > particular servlet and have configured a trust store for the > > connector. Anyone knows whether tomcat handles validation of "Key > > Usage" and "Extended Key Usage" extensions in client certificates? > > And how it's handled through tomcat(is it through the tomcat > > connector)? > > > > Appreciate your help on this. > > Are you interested in making sure that Tomcat verifies that the > certificate is e.g. allowed to be used for TLS client authentication? > > I'm fairly sure Tomcat does not currently verify any of the key-usage > fields on a certificate. The assumption is that if a trusted CA > doesn't think a key should be used for authentication, then the CA > should not sign that certificate. > > But it's reasonable to imagine a scenario where a code-signing > certificate signed by a CA could be "illegally" used as a TLS client > certificate, and in that case, Tomcat would allow the handshake. > > It seems reasonable for Tomcat to verify that any "critical" key-use > extensions are respected, and perhaps even some non-critical ones. > > Is this what you had in mind? > Thanks a lot for the information. I really appreciate it. Yes, I was concerned whether tomcat is validate the key usage and extended key usage extensions, for checking whether a particular certificate is served the purpose it is intended to. Ex: in client authentication, certificate without "clientAuth" extended key usage in extension shouldn't be taken as a valid certificate from tomcat level. As per your comment, seems like in tomcat level, those validations will not be done. Do you know what are the "key usage" or "extended key usage" extension values should be required, in order to support client authentication? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpz46oACgkQHPApP6U8 > pFiqiBAAmL6qk1g+TOSgsy9fvs7E540l8fuAk3jQ7l0z/uy9hOIUw6yYjvMorabG > MWmc6VLRJ95y1ALbmW/olEGVZ4SHihdnmlJbkZ8AqiKBQtaz6fWKXcGdYymlnoE5 > jTye1XLBjk7lyhOWoP6bW315Bg+LI62gzUoFukphcmEQwE9CkpzVEJtpnfXpuCuf > xJl0sh8oTKaU+Fsy4nW4HITSmuVHNEaoKseKCRSjDe1z4pc1NG9n5QN4Ij5TX53o > JLIqv3c8dpyIO2+brIoc+KvXBNVBngaDsiDbJszGdhDICsIoz0andxHwzQRLoqtu > 4I5eLpO/qbGNk10Kl/TRamnIUw+t79NsE+WeAbwX30zkEPkApb7rJ6M4g6haQPg5 > wSaka+FLy/zdlNVzBw6iiJla4UiLtzlVXYUlCCC/j/cs+aV0A2ilsUYZNUrLMB3F > No77FxDt+bo6v8U2JqS4AU6N/5ktNVRfpwcDWQrNT1TTWFdOMzqxI1NVSm08hmwM > FrBaO6dL6ZikaB2x1Xb3STyGKb3t03R/AqI/CQpxUus9a/0AHVMNM8ru+gnB8kJu > TCkjE3+Tu3Uh+wLzR8bTkqpecFtLNV3Lf6I6k+FrbLb3XBWW7EBpTx3yeKbCij7X > rHigCnOMO/Np3YE6Ttuepja0poEYdLo+yGbaKxZQubIjVfPMmjU= > =e5q4 > -----END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *Indunil Rathnayake * *Faculty of Information Technology* *University of Moratuwa.* Email : *indunil@gmail.com <indunil@gmail.com>* | Skype: indu.upeksha | Mobile : (+94)713695179 | Twitter @indunilUR | LinkedIn: http://lk.linkedin.com/in/indunil <http://www.google.com/url?q=http%3A%2F%2Flk.linkedin.com%2Fin%2Findunil=D=1=AFQjCNEmFm8EqJj46HTiFXEXdDLn3kJ79A> | Facebook : https://www.facebook.com/indunilrathnayake80
Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server
Adding Chris On 1 February 2018 at 18:03, Indunil Rathnayake <indunil@gmail.com> wrote: > Hi, > > I have configured a tomcat connector for handling requests for a > particular servlet and have configured a trust store for the connector. > Anyone knows whether tomcat handles validation of "Key Usage" and "Extended > Key Usage" extensions in client certificates? And how it's handled through > tomcat(is it through the tomcat connector)? > > Appreciate your help on this. > > Thanks and Regards > > -- > > *Indunil Rathnayake * > > *Faculty of Information Technology* > > *University of Moratuwa.* > > -- *Indunil Rathnayake * *Faculty of Information Technology* *University of Moratuwa.* Email : *indunil@gmail.com <indunil@gmail.com>* | Skype: indu.upeksha | Mobile : (+94)713695179 | Twitter @indunilUR | LinkedIn: http://lk.linkedin.com/in/indunil <http://www.google.com/url?q=http%3A%2F%2Flk.linkedin.com%2Fin%2Findunil=D=1=AFQjCNEmFm8EqJj46HTiFXEXdDLn3kJ79A> | Facebook : https://www.facebook.com/indunilrathnayake80
Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server
Hi Chris, On 1 February 2018 at 20:25, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Indunil, > > On 2/1/18 7:29 AM, Indunil Rathnayake wrote: > > I have configured a tomcat connector for handling requests for a > > particular servlet and have configured a trust store for the > > connector. Anyone knows whether tomcat handles validation of "Key > > Usage" and "Extended Key Usage" extensions in client certificates? > > And how it's handled through tomcat(is it through the tomcat > > connector)? > > > > Appreciate your help on this. > > This is a question better-asked on the users' list. Cross-posting to > move the discussion there. > Thanks. I have already sent a mail to the users' list as well. Please check. Really appreciate your help on this. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpzKnAdHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiHZhAAyUydZZQFgeFyfFjh > Sy5kdz8T7vo8DDeyL3/63rmDGELdJHjiXeg5BIwfzkNawmZFky1esLHCKBSriO5Z > 1VcZwvz5nkJaaMtEz77MDH+kLGtsQDeXhUE3riVK+iUZvciZIeUogv70uGdd5wDI > buv/clfECgpE1A//LVWlp8jr67W0M8FWxhGC6Jy7UCjgRqkJgUDGynASt2qOxuUb > k0Ih3F1yIK8gwg0enlk039P16PZrfsvZJzNv0OU6jmr11dkxrb4DiUiMAaoertSX > cPHGefJ5VYpsKHA3qPSnSjYpzGWUJMat8Mpkj7QEcIMKpHjVXriGKLxNxdiz7rdm > xBnZf5j5dxDRGDlNh25oY9tAup0WadjdefwMNRT+xKr5s3ohdS47BDWOAdQJZQkI > lVPtfqlWyCqCRU/lJ0uOMPsbqfaLnISJ1u3uOozmujlviHp9GxOUqoAq7dZI52B9 > ZXjsmjK/nNMQMtlHUvWjZHvvYmbTyJLZtGbnLYoI+vx+VxXOe4CHH8EKucjQYifD > NUzAoZ3dd0g4pCt0/3+VW26Keep4P+u4yZ7vvoOB4tum+DKbSJp557d8Raz59HZt > YjQLiQtb1s4ppw6CtFfQaGd/8+oKuxhZevhImMUL1bkZnCB6qFZ9ziKnbVA1tgs4 > VNPK1KKa+WhopgCgPjSXGDiK3uw= > =1J/l > -END PGP SIGNATURE- > > --------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > -- *Indunil Rathnayake * *Faculty of Information Technology* *University of Moratuwa.*
Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server
Hi, I have configured a tomcat connector for handling requests for a particular servlet and have configured a trust store for the connector. Anyone knows whether tomcat handles validation of "Key Usage" and "Extended Key Usage" extensions in client certificates? And how it's handled through tomcat(is it through the tomcat connector)? Appreciate your help on this. Thanks and Regards -- *Indunil Rathnayake * *Faculty of Information Technology* *University of Moratuwa.*