[Pki-devel] [PATCH] 2-3 Copy ExtendedKeyUsage from signing request
Fraser Tweedale
ftweedal at redhat.com
Mon Jun 16 07:57:03 UTC 2014
Hi all,
These patches implement support for copying the ExtendedKeyUsage
extension from a signing request to the certificate, addressing
https://fedorahosted.org/freeipa/ticket/2915.
My email from a few days ago goes into a bit more detail and puts
forward the question of whether this is even a reasonable approach
to solving #2915. Since I haven't yet received any feedback I
figured I'd go ahead and publish the patches.
Patch 0002:
Add appropriate ExtendedKeyUsage constraints to all profiles that
support this extension. To check that none were missed:
$ ag -l extendedKeyUsageExtDefaultImpl \
| xargs ag -L extendedKeyUsageExtConstraintImpl
Patch 0003:
The actual fix: EKU extension is copied from signing request, or the
default is used when the extension does not appear in the request.
-------------- next part --------------
>From bb85febccecc483e720f5e6ee996ec6bce6f9018 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase at frase.id.au>
Date: Mon, 16 Jun 2014 02:58:07 -0400
Subject: [PATCH] Add EKU constraint to all relevant profiles
To support changing ExtendedKeyUsageExtDefault to copy
ExtendedKeyUsage information when present in a signing request,
update all profiles that use ExtendedKeyUsageExtDefault to have a
corresponding constraint.
This will preserve the existing behaviour where only EKU purposes
configured for the default can appear in the certificate.
---
base/ca/shared/profiles/ca/AdminCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/DomainController.cfg | 6 ++++--
base/ca/shared/profiles/ca/caAdminCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caAgentFileSigning.cfg | 6 ++++--
base/ca/shared/profiles/ca/caAgentServerCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caCMCUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caDirPinUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caDirUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caDualCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caDualRAuserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caECDirUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caECDualCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caECUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caEncECUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caEncUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caIPAserviceCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caOtherCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caRACert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caRARouterCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caRAagentCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caRAserverCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caRouterCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caServerCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caStorageCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caSubsystemCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caTPSCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg | 6 ++++--
base/ca/shared/profiles/ca/caTransportCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caUserCert.cfg | 6 ++++--
base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg | 6 ++++--
37 files changed, 148 insertions(+), 74 deletions(-)
diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg
index a54a1b75594c95c5922768ee949a4a10808b43d2..506367558f535e9d5b5f37b610760b75ad24f287 100644
--- a/base/ca/shared/profiles/ca/AdminCert.cfg
+++ b/base/ca/shared/profiles/ca/AdminCert.cfg
@@ -72,8 +72,10 @@ policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.adminCertSet.6.default.params.keyUsageCrlSign=false
policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.adminCertSet.7.constraint.class_id=noConstraintImpl
-policyset.adminCertSet.7.constraint.name=No Constraint
+policyset.adminCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.adminCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.adminCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.adminCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default
policyset.adminCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/DomainController.cfg b/base/ca/shared/profiles/ca/DomainController.cfg
index 81cba321421acef2adc12389def815475481ab60..81d2bb5697f26840216d91a26733bb5967a933b5 100644
--- a/base/ca/shared/profiles/ca/DomainController.cfg
+++ b/base/ca/shared/profiles/ca/DomainController.cfg
@@ -84,8 +84,10 @@ policyset.set1.5.default.params.authInfoAccessADLocation_0=http://localhost.loca
policyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2
policyset.set1.5.default.params.authInfoAccessCritical=false
policyset.set1.5.default.params.authInfoAccessNumADs=1
-policyset.set1.eku.constraint.class_id=noConstraintImpl
-policyset.set1.eku.constraint.name=No Constraint
+policyset.set1.eku.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.set1.eku.constraint.name=Extended Key Usage Extension
+policyset.set1.eku.constraint.params.exKeyUsageCritical=false
+policyset.set1.eku.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.set1.eku.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.set1.eku.default.name=Extended Key Usage Extension Default
policyset.set1.eku.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg
index cd2970397caaba6799bc563497da54f98ac2234d..9384e05b214b5044feb657e16607800d62e5d39b 100644
--- a/base/ca/shared/profiles/ca/caAdminCert.cfg
+++ b/base/ca/shared/profiles/ca/caAdminCert.cfg
@@ -73,8 +73,10 @@ policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.adminCertSet.6.default.params.keyUsageCrlSign=false
policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.adminCertSet.7.constraint.class_id=noConstraintImpl
-policyset.adminCertSet.7.constraint.name=No Constraint
+policyset.adminCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.adminCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.adminCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.adminCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default
policyset.adminCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg
index 26eb171b0aad807d70d10a8c655e166e2d6bc7be..4d85bcaeccbc4fefc4f259ba802d364c1544cd56 100644
--- a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg
+++ b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg
@@ -72,8 +72,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg
index 9543383301e725513fd2f2bb79e70f0709c7deb8..72b55fc917012996307fc62eb361760ebdb60048 100644
--- a/base/ca/shared/profiles/ca/caAgentServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg
@@ -71,8 +71,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
index e703f0cd31f0458347b9ed012f6bc49b891bcb7f..1d09443b3e5ecbb5b05b8953bdde0eb22b978604 100644
--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
@@ -72,8 +72,10 @@ policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
-policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.cmcUserCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg
index 065a05aabf92690d60934d8253fcdb25482184b4..66c2a0ddde3b2ba1a85724f740cfffaf4cfc9841 100644
--- a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg
@@ -76,8 +76,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg
index d18dbedf97862dcfb84d43fbd0be0f6cc45a8f0f..70476bf304afbe5e4c0350a5369c5c72a2caff9e 100644
--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg
@@ -76,8 +76,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg
index e85cbe00273f499a22aafe8b19c3ca0905fe8568..393651564d28d3e9c8685e09283969d8588d3886 100644
--- a/base/ca/shared/profiles/ca/caDualCert.cfg
+++ b/base/ca/shared/profiles/ca/caDualCert.cfg
@@ -144,8 +144,10 @@ policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
-policyset.signingCertSet.7.constraint.name=No Constraint
+policyset.signingCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.signingCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.signingCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.signingCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg
index 741e26a3fe030d2b4146be52e488f0fe895dec4a..35e4abab9c98ad5ddf11c920930250f4abfd19df 100644
--- a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg
+++ b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg
@@ -71,8 +71,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
index da5047840c268ddc9a3f4424a3d49bc8ae657730..b7a17bcb6d437b364cfbac1ac216805326a38818 100644
--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
@@ -76,8 +76,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg
index 8bf08108871363e68e26fa97f3ecb979b57dab97..2cc6f6c13d9594c6fa81f18194936f8bb31a71ca 100644
--- a/base/ca/shared/profiles/ca/caECDualCert.cfg
+++ b/base/ca/shared/profiles/ca/caECDualCert.cfg
@@ -144,8 +144,10 @@ policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
-policyset.signingCertSet.7.constraint.name=No Constraint
+policyset.signingCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.signingCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.signingCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.signingCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg
index a641e5800e73da16d3baa4952057f5164fa52f3c..14b6a527bd63cbab92581e60a232fc2effff1d16 100644
--- a/base/ca/shared/profiles/ca/caECUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECUserCert.cfg
@@ -78,8 +78,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caEncECUserCert.cfg b/base/ca/shared/profiles/ca/caEncECUserCert.cfg
index 66baa4bf86c31a7c4646448b9d59949dc50309f7..4b756011ca771996c80f53086ec9ffd48c869e54 100644
--- a/base/ca/shared/profiles/ca/caEncECUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caEncECUserCert.cfg
@@ -70,8 +70,10 @@ policyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false
policyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl
-policyset.encryptionCertSet.7.constraint.name=No Constraint
+policyset.encryptionCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.encryptionCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.encryptionCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.encryptionCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default
policyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caEncUserCert.cfg b/base/ca/shared/profiles/ca/caEncUserCert.cfg
index e49faf24e49f364f536bbbb6b1bb30541465ad93..9c910df9ff09d0f3203e6bbfbd80e9661f6df42b 100644
--- a/base/ca/shared/profiles/ca/caEncUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caEncUserCert.cfg
@@ -72,8 +72,10 @@ policyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false
policyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl
-policyset.encryptionCertSet.7.constraint.name=No Constraint
+policyset.encryptionCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.encryptionCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.encryptionCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.encryptionCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default
policyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
index 2276f50003c688890d997c7177eeeb9152d004fc..e8ac8e30ba31f73480a5626f4d534e1d453c750e 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
@@ -71,8 +71,10 @@ policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
-policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.cmcUserCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg
index 782df90610631c2d3bda75c158a230c23ed38206..3bd7a17763f16ea493e692425d529c5bceef3af9 100644
--- a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg
+++ b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg
@@ -71,8 +71,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
index d5da9f599d8a2a7c28dd83688396a2ae4cd22792..adb6bfd68e407d5b576c4d812a0ee597dcb499e6 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
@@ -72,8 +72,10 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false
policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl
-policyset.drmStorageCertSet.7.constraint.name=No Constraint
+policyset.drmStorageCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.drmStorageCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.drmStorageCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.drmStorageCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default
policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
index 71935108080b8dce4fab2ef3901fa0f1582c2801..1d9588e076b078ab9bfb0858acee8d63ee2594d3 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
@@ -72,8 +72,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
index 4106c5feff9a030354fff73298881cd45155962f..4988556b47933fd3f18509635d3f9a99c2e96b78 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
@@ -74,8 +74,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
index 538c76071958b81ca5ca3b1a2fc33e2653e50181..ba81ff0e8fba780c2bd937dfc8b371e9cc6cedba 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
@@ -72,8 +72,10 @@ policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.transportCertSet.6.default.params.keyUsageCrlSign=false
policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.transportCertSet.7.constraint.class_id=noConstraintImpl
-policyset.transportCertSet.7.constraint.name=No Constraint
+policyset.transportCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.transportCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.transportCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.transportCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default
policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caOtherCert.cfg b/base/ca/shared/profiles/ca/caOtherCert.cfg
index 839517a0251826048e35d880ddb1689b906dc230..750cb63053a9ff1d99c7a8002dfdf8535938c34a 100644
--- a/base/ca/shared/profiles/ca/caOtherCert.cfg
+++ b/base/ca/shared/profiles/ca/caOtherCert.cfg
@@ -71,8 +71,10 @@ policyset.otherCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.otherCertSet.6.default.params.keyUsageCrlSign=false
policyset.otherCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.otherCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.otherCertSet.7.constraint.class_id=noConstraintImpl
-policyset.otherCertSet.7.constraint.name=No Constraint
+policyset.otherCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.otherCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.otherCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.otherCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.otherCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.otherCertSet.7.default.name=Extended Key Usage Extension Default
policyset.otherCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caRACert.cfg b/base/ca/shared/profiles/ca/caRACert.cfg
index a3d8dc45f426c2274ae9dc519da1180185d93832..d81f27e8d3b7a17a422f2aa7ecbbc18e4c42d4f5 100644
--- a/base/ca/shared/profiles/ca/caRACert.cfg
+++ b/base/ca/shared/profiles/ca/caRACert.cfg
@@ -71,8 +71,10 @@ policyset.raCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.raCertSet.6.default.params.keyUsageCrlSign=false
policyset.raCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.raCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.raCertSet.7.constraint.class_id=noConstraintImpl
-policyset.raCertSet.7.constraint.name=No Constraint
+policyset.raCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.raCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.raCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.raCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.raCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.raCertSet.7.default.name=Extended Key Usage Extension Default
policyset.raCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caRARouterCert.cfg b/base/ca/shared/profiles/ca/caRARouterCert.cfg
index 28407668699893edbcb517d3eba69e8b2db03195..1e9ad41fa5ef1a1dc86b51927959d4074c35b6cd 100644
--- a/base/ca/shared/profiles/ca/caRARouterCert.cfg
+++ b/base/ca/shared/profiles/ca/caRARouterCert.cfg
@@ -71,8 +71,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caRAagentCert.cfg b/base/ca/shared/profiles/ca/caRAagentCert.cfg
index d330e6f0129c7e70673bb860fb3990af424f842f..83625a415de220d667da78cd580a4167ae059e01 100644
--- a/base/ca/shared/profiles/ca/caRAagentCert.cfg
+++ b/base/ca/shared/profiles/ca/caRAagentCert.cfg
@@ -72,8 +72,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caRAserverCert.cfg b/base/ca/shared/profiles/ca/caRAserverCert.cfg
index 297c001e327da0155875340acd48ad2fbdde1a0e..3f63e1afa443edf3dc79897ab4c87d785c320021 100644
--- a/base/ca/shared/profiles/ca/caRAserverCert.cfg
+++ b/base/ca/shared/profiles/ca/caRAserverCert.cfg
@@ -71,8 +71,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caRouterCert.cfg b/base/ca/shared/profiles/ca/caRouterCert.cfg
index 2400c69b8afeec11177717427016dee02ab2ee5a..6a59759bd4bdc4bf58672db2ed77f83f90691f55 100644
--- a/base/ca/shared/profiles/ca/caRouterCert.cfg
+++ b/base/ca/shared/profiles/ca/caRouterCert.cfg
@@ -71,8 +71,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg
index 35254cb7538265d80709fda5580bc74435763c8d..7ee5ced50312171aedb84cbf435e1b6c126c5925 100644
--- a/base/ca/shared/profiles/ca/caServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caServerCert.cfg
@@ -71,8 +71,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
index f470a1dc203582389c518bf06cbd17cdb832d7bd..fe78e636a22a7ea96c560eefc5b69de80969d729 100644
--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
@@ -70,8 +70,10 @@ policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
-policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.cmcUserCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caStorageCert.cfg b/base/ca/shared/profiles/ca/caStorageCert.cfg
index 3d99883cdfc8d4797cc0ddf14c4a0865f12eec68..346f989ce70585829c061fa895bee412c49df6ed 100644
--- a/base/ca/shared/profiles/ca/caStorageCert.cfg
+++ b/base/ca/shared/profiles/ca/caStorageCert.cfg
@@ -71,8 +71,10 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false
policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl
-policyset.drmStorageCertSet.7.constraint.name=No Constraint
+policyset.drmStorageCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.drmStorageCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.drmStorageCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.drmStorageCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default
policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caSubsystemCert.cfg b/base/ca/shared/profiles/ca/caSubsystemCert.cfg
index 41a710fc7eca0c59f4a3122e46c56fed6e8e83c8..3ce5e974327604e9e176ebfdeb1c13d1170ed5f3 100644
--- a/base/ca/shared/profiles/ca/caSubsystemCert.cfg
+++ b/base/ca/shared/profiles/ca/caSubsystemCert.cfg
@@ -71,8 +71,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caTPSCert.cfg b/base/ca/shared/profiles/ca/caTPSCert.cfg
index bcc30a7fd8b88e2f9f1f12a0ad8fca4485ffe0ea..2c3793207e68fe049129eb22c5dd31dfe23ab37f 100644
--- a/base/ca/shared/profiles/ca/caTPSCert.cfg
+++ b/base/ca/shared/profiles/ca/caTPSCert.cfg
@@ -71,8 +71,10 @@ policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
-policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg b/base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg
index 37c9af5e02380635573c0e1d9642c8aa649cb55a..fe780db054fa98b316658f7a9fd37a9a8644e2f8 100644
--- a/base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg
+++ b/base/ca/shared/profiles/ca/caTokenMSLoginEnrollment.cfg
@@ -162,8 +162,10 @@ policyset.set1.p14.default.params.authInfoAccessADLocation_0=http://localhost.lo
policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.set1.p14.default.params.authInfoAccessCritical=false
policyset.set1.p14.default.params.authInfoAccessNumADs=1
-policyset.set1.p15.constraint.class_id=noConstraintImpl
-policyset.set1.p15.constraint.name=No Constraint
+policyset.set1.p15.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.set1.p15.constraint.name=Extended Key Usage Extension
+policyset.set1.p15.constraint.params.exKeyUsageCritical=false
+policyset.set1.p15.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2
policyset.set1.p15.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.set1.p15.default.name=Extended Key Usage Extension Default
policyset.set1.p15.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caTransportCert.cfg b/base/ca/shared/profiles/ca/caTransportCert.cfg
index 466e2b313316023db9fdc3e9620a73fafbff63c0..8cc4bc13cdaf80825e3b83a307488fb9d66cddb3 100644
--- a/base/ca/shared/profiles/ca/caTransportCert.cfg
+++ b/base/ca/shared/profiles/ca/caTransportCert.cfg
@@ -71,8 +71,10 @@ policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.transportCertSet.6.default.params.keyUsageCrlSign=false
policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.transportCertSet.7.constraint.class_id=noConstraintImpl
-policyset.transportCertSet.7.constraint.name=No Constraint
+policyset.transportCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.transportCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.transportCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.transportCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default
policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg
index fcc9ffc0858af649144b4943bfd3f2eeed4fd1a2..5e8d713c9e0e23f828d1b0317e82e7b65e0617a6 100644
--- a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg
+++ b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg
@@ -72,8 +72,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg
index 0fdc451ca03471116eeed7416cf9f71a42f254a3..78f10f19d563b8bba7b54119aae3b0b08b0d9d63 100644
--- a/base/ca/shared/profiles/ca/caUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caUserCert.cfg
@@ -78,8 +78,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
diff --git a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg
index 06271e4761d8d2bf1291e24a959c62b035c6781e..1b85d9510aac53c367e44a1a57031dccc3034836 100644
--- a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg
+++ b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg
@@ -78,8 +78,10 @@ policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.userCertSet.7.constraint.class_id=noConstraintImpl
-policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.userCertSet.7.constraint.name=Extended Key Usage Extension
+policyset.userCertSet.7.constraint.params.exKeyUsageCritical=false
+policyset.userCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
--
1.9.3
-------------- next part --------------
>From b48fab050b1757fa3aacf590bd8cf8f546a2b210 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase at frase.id.au>
Date: Tue, 27 May 2014 18:47:40 -0400
Subject: [PATCH] Copy Extended Key Usage from CSR when present
The ExtendedKeyUsageExtDefault profile policy ignores whatever
Extended Key Usage appears in the certificate request, surprising
Certmonger users who request a specific EKU.
Update the ExtendedKeyUsageExtDefault class to extract Extended Key
Usage from a CSR, if the extension appears in the request, otherwise
setting the configured default EKU if the extension does not appear.
As a result of this change, profile policies should now rely on
ExtendedKeyUsageExtConstraint to reject CSRs with unreasonable EKU
purposes.
https://fedorahosted.org/freeipa/ticket/2915
---
.../cms/profile/def/ExtendedKeyUsageExtDefault.java | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java
index 22f00eb940910fdd644e12f11eb3beb907cabfb2..e4d59871cbba7d39d9bde3aa6f686edd67a240d1 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java
@@ -23,11 +23,13 @@ import java.util.StringTokenizer;
import netscape.security.extensions.ExtendedKeyUsageExtension;
import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertificateExtensions;
import netscape.security.x509.X509CertInfo;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IEnrollProfile;
import com.netscape.certsrv.profile.IProfile;
import com.netscape.certsrv.property.Descriptor;
import com.netscape.certsrv.property.EPropertyException;
@@ -219,7 +221,18 @@ public class ExtendedKeyUsageExtDefault extends EnrollExtDefault {
*/
public void populate(IRequest request, X509CertInfo info)
throws EProfileException {
- ExtendedKeyUsageExtension ext = createExtension();
+ CertificateExtensions inExts =
+ request.getExtDataInCertExts(IEnrollProfile.REQUEST_EXTENSIONS);
+ if (inExts == null)
+ return;
+
+ // read EKU from request
+ ExtendedKeyUsageExtension ext = (ExtendedKeyUsageExtension)
+ getExtension(ExtendedKeyUsageExtension.OID, inExts);
+
+ // if no EKU in request, create default EKU extension
+ if (ext == null)
+ ext = createExtension();
addExtension(ExtendedKeyUsageExtension.OID, ext, info);
}
--
1.9.3
More information about the Pki-devel
mailing list