[gnutls-devel] GnuTLS | enable SMIMECapabilities when generating certificates (#863)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Nov 26 08:17:25 CET 2019



Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/issues/863



## Description of the feature:
[RFC 4262](https://tools.ietf.org/html/rfc4262) indicates an X.509v3 extension for storing SMIME capabilities in an X.509 certificate.

[RFC 8551](https://tools.ietf.org/html/rfc8551) defines the values that can go in that extension.

The extension OID is:

```
smimeCapabilities OBJECT IDENTIFIER ::=
         {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
         pkcs-9(9) 15}
```

For example, a capability we might have could be represented in the certtool template, conditioned to only be requested if `email_protection_key` is set:

`smime_compress_zlib` -- if it is set in the template, and `email_protection_key` is set, then it would add an S/MIME Capabilities X.509v3 extension (or append to any existing one), containing the `id-alg-zlibCompression` OID from [RFC 3274](https://tools.ietf.org/html/rfc3274):

```
      id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2)
        us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 }
```

and if `smime_authenc_aesgcm256` is set tin the template, and `email_protection_key` is set, then it would add an S/MIME Capabilities X.509v3 extension (or append to any existing one), containing the appropriate identifier from [RFC 5084](https://tools.ietf.org/html/rfc5084).

(alternately, if you think the user should be able to set the ordering, we could define a fancier configuration syntax that knows a set of S/MIME capabilities, and allows the user to identify them in a list in the template, like so:

    smime_capabilities = aesgcm256,zlib

But i think the single flag (and making sensible ordering choices) fits more closely with the current certtool template interface.

## Applications that this feature may be relevant to:
Using certtool-generated X.509 certificate for e-mail purposes with S/MIME.

## Is this feature implemented in other libraries (and which)

I believe this can be achieved by some complicated gymnastics in OpenSSL's configuration syntax, but

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/863
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191126/259accbb/attachment.html>


More information about the Gnutls-devel mailing list