On 11/16/2021 6:37 PM, Weijun Wang wrote:
On Tue, 16 Nov 2021 21:00:12 GMT, Weijun Wang <wei...@openjdk.org> wrote:
There is no need to check for the KeyUsage extension when validating a TSA
certificate.
A test is modified where a TSA cert has a KeyUsage but without the
DigitalSignature bit.
Weijun Wang has updated the pull request incrementally with one additional
commit since the last revision:
clarify RFC requirement
I did see an issuer of TSA certs whose own certificate has EKU with
id-kp-timeStamping and KU with both DigitialSignature and keyCertsign. This
cert should be rejected if it signed a timestamp response.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6416
Not quite. The rule is that if there's both an ExtendedKeyUsage and
KeyUsage extensions, for any given OID in the EKU there has to be at
least one bit in the KeyUsage extenstion that's compatible - there may
be more than one. If there's an EKU, and no KeyUsage, then only the EKU
needs to have an OID for the key usage purpose - in this case signing a
timestamp.
The cert you cite would be valid for timestamping.
Mike
