Hi Chris,

On 2 February 2018 at 09:36, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Hash: SHA256
> Indunil,
> On 2/1/18 7:33 AM, Indunil Rathnayake wrote:
> > I have configured a tomcat connector for handling requests for a
> > particular servlet and have configured a trust store for the
> > connector. Anyone knows whether tomcat handles validation of "Key
> > Usage" and "Extended Key Usage" extensions in client certificates?
> > And how it's handled through tomcat(is it through the tomcat
> > connector)?
> >
> > Appreciate your help on this.
> Are you interested in making sure that Tomcat verifies that the
> certificate is e.g. allowed to be used for TLS client authentication?
> I'm fairly sure Tomcat does not currently verify any of the key-usage
> fields on a certificate. The assumption is that if a trusted CA
> doesn't think a key should be used for authentication, then the CA
> should not sign that certificate.
> But it's reasonable to imagine a scenario where a code-signing
> certificate signed by a CA could be "illegally" used as a TLS client
> certificate, and in that case, Tomcat would allow the handshake.
> It seems reasonable for Tomcat to verify that any "critical" key-use
> extensions are respected, and perhaps even some non-critical ones.
> Is this what you had in mind?

Thanks a lot for the information. I really appreciate it. Yes, I was
concerned whether tomcat is validate the key usage and extended key usage
extensions, for checking whether a particular certificate is served the
purpose it is intended to. Ex: in client authentication, certificate
without "clientAuth" extended key usage in extension shouldn't be taken as
a valid certificate from tomcat level.

As per your comment, seems like in tomcat level, those validations will not
be done.

Do you know what are the "key usage" or "extended key usage" extension
values should be required, in order to support client authentication?

> - -chris
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> pFiqiBAAmL6qk1g+TOSgsy9fvs7E540l8fuAk3jQ7l0z/uy9hOIUw6yYjvMorabG
> MWmc6VLRJ95y1ALbmW/olEGVZ4SHihdnmlJbkZ8AqiKBQtaz6fWKXcGdYymlnoE5
> jTye1XLBjk7lyhOWoP6bW315Bg+LI62gzUoFukphcmEQwE9CkpzVEJtpnfXpuCuf
> xJl0sh8oTKaU+Fsy4nW4HITSmuVHNEaoKseKCRSjDe1z4pc1NG9n5QN4Ij5TX53o
> JLIqv3c8dpyIO2+brIoc+KvXBNVBngaDsiDbJszGdhDICsIoz0andxHwzQRLoqtu
> 4I5eLpO/qbGNk10Kl/TRamnIUw+t79NsE+WeAbwX30zkEPkApb7rJ6M4g6haQPg5
> wSaka+FLy/zdlNVzBw6iiJla4UiLtzlVXYUlCCC/j/cs+aV0A2ilsUYZNUrLMB3F
> No77FxDt+bo6v8U2JqS4AU6N/5ktNVRfpwcDWQrNT1TTWFdOMzqxI1NVSm08hmwM
> FrBaO6dL6ZikaB2x1Xb3STyGKb3t03R/AqI/CQpxUus9a/0AHVMNM8ru+gnB8kJu
> TCkjE3+Tu3Uh+wLzR8bTkqpecFtLNV3Lf6I6k+FrbLb3XBWW7EBpTx3yeKbCij7X
> rHigCnOMO/Np3YE6Ttuepja0poEYdLo+yGbaKxZQubIjVfPMmjU=
> =e5q4
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


*Indunil Rathnayake *

*Faculty of Information Technology*

*University of Moratuwa.*

Email : *indunil....@gmail.com <indunil....@gmail.com>* | Skype: indu.upeksha
| Mobile : (+94)713695179  | Twitter @indunilUR |

LinkedIn: http://lk.linkedin.com/in/indunil
|  Facebook
: https://www.facebook.com/indunilrathnayake80

Reply via email to