2

I would like to add EmailAddress to my PKCS10 CSR:

        .addRDN( BCStrictStyle.EmailAddress, emailAddr )

Why does the Bouncy/Spongey spec say the following?:

org.spongycastle.asn1.x500.style.BCStyle public static final org.spongycastle.asn1.ASN1ObjectIdentifier EmailAddress Email address (RSA PKCS#9 extension) - IA5String. Note: if you're trying to be ultra orthodox, don't use this! It shouldn't be in here.

Is there something "wrong" w/ adding the EmailAddr to the x500name as part of a CSR?

If there is, then how should I properly add the EmailAddr to my CSR?

JDOaktown
  • 4,262
  • 7
  • 37
  • 52

2 Answers2

2

The reason for the warning is that the latest X.509 specifications require mail addresses to be put in the subjectAlternativeName extension.

Quote from RFC5280:

Legacy implementations exist where an electronic mail address is embedded in the subject distinguished name as an emailAddress attribute [RFC2985]. The attribute value for emailAddress is of type IA5String to permit inclusion of the character '@', which is not part of the PrintableString character set. emailAddress attribute values are not case-sensitive (e.g., "subscriber@example.com" is the same as "SUBSCRIBER@EXAMPLE.COM").

Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name extension (Section 4.2.1.6) to describe such identities. Simultaneous inclusion of the emailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted.

As you are creating a CSR and not a certificate, I wouldn't worry much about it. Few CAs can (or rather want to) process extensions in CSRs anyway.

Omikron
  • 4,072
  • 1
  • 27
  • 28
2

To expand on Omikron's answer: I create an x500name for our own spec's:

static private X500Name getX500Name(){
    final String testPostalCode = "94602-4105";
    return new X500NameBuilder( BCStrictStyle.INSTANCE )
            .addRDN( BCStyle.CN, Alias )
            //.addRDN( BCStrictStyle.EmailAddress, emailAddr )
            .addRDN( BCStrictStyle.POSTAL_CODE, testPostalCode )
            .addRDN( BCStrictStyle.SERIALNUMBER, deviceID )
            .addRDN( BCStrictStyle.C, deviceID )
            .build();
}//getX500Name

and I put the email addr into the extension:

//https://msdn.microsoft.com/en-us/library/windows/desktop/aa376502(v=vs.85).aspx
// http://stackoverflow.com/questions/20532912/generating-the-csr-using-bouncycastle-api
// http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation#X.509PublicKeyCertificateandCertificationRequestGeneration-SubjectAlternativeName
static public PKCS10CertificationRequest genCSR(){
    KeyPair pair = getKeyPair();
    PKCS10CertificationRequestBuilder p10Builder;
    ContentSigner signer;

    try{
        GeneralNames subjectAltName = new GeneralNames(
                new GeneralName(GeneralName.rfc822Name, emailAddr));

        PublicKey publicKey = getKeyStore().getCertificate( certKeyAlias ).getPublicKey();
        p10Builder = new JcaPKCS10CertificationRequestBuilder(
                getX500Name()
                , publicKey )
                .addAttribute(Extension.subjectAlternativeName, new DEROctetString( subjectAltName)   )
                .setLeaveOffEmptyAttributes(true)

        ;

        JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder( SHA256withECDSA );

        signer = csBuilder.build( pair.getPrivate() );
    }catch ( KeyStoreException | OperatorCreationException| IOException X ){
        pkException CRYPTOERR = new pkException( pkErrCode.CRYPTO ).set( "registrations err", X );
        mLog.error( CRYPTOERR.toString() );
        throw CRYPTOERR;
    }

    PKCS10CertificationRequest CSR = p10Builder.build( signer );
    return CSR;
}//genCSR
JDOaktown
  • 4,262
  • 7
  • 37
  • 52