Only x509 certificates v3 allowed for CMP

[kyberpunk]

Hi all, I've setup CMP endoint with EndEntityCertificate authentication module and use certificates from external CA for authentication. These certificates are generated with x509 version 1. I get the following error from EndEntityCertificateAuthenticationModule:

ERROR [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-2) Exception during CMP processing: .: java.lang.IllegalArgumentException: only version 3 certificates allowed

I seems to be coming from Bouncy castle: https://github.com/chenpanyu/tools/blob/master/bouncycastle/src/main/java/org/bouncycastle/asn1/cmp/CMPCertificate.java#L50.

Is this expected behavior? Is there any way how to overcome the issues to make it work with certificates version 1?
Thank you.

[primetomas]

I believe you should look at the application that produces anything else than v3 certificates. X.509 v1 was deprecated 30 years ago, generating v1 certificates will cause unimaginable trouble. Most applications and standard only support X.509 v3.

I haven't seen anything generate non v3 certificates since the early 90s. Such certificates can not be used by TLS or most signature applications because they require extensions such as KeyUsage or SubjectAlternativeName, etc. V1 certificates can only be consumed by custom applications and are thus not suitable for usage with CMP.

In the case of CMP the standard defines the usage of x509v3 certificate.
https://datatracker.ietf.org/doc/html/rfc4210#appendix-F
CMPCertificate ::= CHOICE {
x509v3PKCert Certificate
}

In RFC5280, the only certificate version number required to be recognized by an application is v3(2):
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.1
Although technically it's correct ASN.1 with v1(0), applications are not required to support that.

If you don't mind me asking, what kind of External CA generate v1 certificates?
I would guess is that it was unintended to issue a X.509v1 certificate and that the authentication certificate should be re-issued as v3.

Here's the official BC source btw: https://github.com/bcgit/bc-java/blob/main/util/src/main/java/org/bouncycastle/asn1/cmp/CMPCertificate.java#L52

Cheers,
Tomas

[kyberpunk]

Thanks for a reply, agree with you, this is also my first experience with such certificates. Let's say they were generated by legacy company infrastructure and we cannot easily replace them now, so I was searching for some workaround.

[primetomas]

I understand. If the CA cert itself is v1 it’s not rfc5280 compliant. On the other hand, it couldn’t be that it only functions as a CSR stamping machine and you could create a CSR with the fields you need? Otherwise I feel sorry for you, I don’t know a workaround. Perhaps use shared secret for CMP authentication instead to avoid using that cert?

[kyberpunk]

Yes, I will probably use end entity passwords instead in this case. Thanks.