Skip to content

S/MIME Baseline Requirements Sample Certificate Generator by jsrsasign

License

Notifications You must be signed in to change notification settings

kjur/smbr-cert-generator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

S/MIME Baseline Requirements Sample Certificate Generator by jsrsasign

Overview

This project provides generator for certificates and CRLs conforming to CA/Browser Forum S/MIME Baseline Requirements inspired by smbr-cert-factory project.

Certificates and CRLs will be generated using pure JavaScript jsrsasign PKI library.

Requirements

Generator scripts requires Node.JS and /bin/sh.

How to generate certificates and CRLs

Download the package from here. Then run following:

% unzip smbr-cert-generator-main.zip
% cd smbr-cert-generator-main
% cd data
% npm install jsrsasign jsrsasign-util
% sh ./makecert.sh

You can see generated certificates and CRLs in ../artifacts directory.

Certificate and CRL Customization

All of certificate and CRL parameters are defined as JSON in data directory. So you can modify and add them such as validity period, names, mail addresses or extensions. Here is a data/mailbox-validated_strict.json:

{
  "version": 3,
  "serial": {"hex": "7b2c41983c7f8e0f82fc8fb7b1aedde23882ad4c"},
  "sigalg": "SHA256withRSA",
  "issuer": {
    "str": "/C=US/O=Foo Industries Limited/CN=Intermediate CA",
    "array": [
      [{"type": "C", "ds": "prn", "value": "US"}],
      [{"type": "O", "ds": "utf8", "value": "Foo Industries Limited"}],
      [{"type": "CN", "ds": "utf8", "value": "Intermediate CA"}]
    ]
  },
  "notbefore": "230419000000Z",
  "notafter": "230718235959Z",
  "subject": {
    "str": "/[email protected]/[email protected]",
    "array": [
      [{"type": "CN", "ds": "utf8", "value": "[email protected]"}],
      [{"type": "E", "ds": "ia5", "value": "[email protected]"}]
    ]
  },
  "sbjpubkey": "testRSA2048.p8.pub",
  "ext": [
    {
      "extname": "basicConstraints",
      "critical": true
    },
    {
      "extname": "keyUsage",
      "critical": true,
      "names": ["digitalSignature"]
    },
    {
      "extname": "authorityKeyIdentifier",
      "kid": "testRSA4096.p8.pub"
    },
    {
      "extname": "subjectKeyIdentifier",
      "kid": "testRSA2048.p8.pub"
    },
    {
      "extname": "certificatePolicies",
      "array": [{"policyoid": "smimeMailboxStrict"}]
    },
    {
      "extname": "cRLDistributionPoints",
      "array": [
        {"dpname": {"full": [{"uri": "http://crl.ca.example.com/issuing_ca_crl.crl"}]}}
      ]
    },
    {
      "extname": "authorityInfoAccess",
      "array": [{"caissuer": "http://repository.ca.example.com/issuing_ca.der"}]
    },
    {
      "extname": "extKeyUsage",
      "array": ["emailProtection"]
    },
    {
      "extname": "subjectAltName",
      "array": [
        {"rfc822": "[email protected]"},
        {
          "other": {
            "oid": "smtpUTF8Mailbox",
            "value": {"utf8str": {"str": "山田花子@example.com"}}
          }
        }
      ]
    }
  ],
  "cakey": "testRSA4096.p5p.prv"
}

Private and Public Keys

All of private key are defined in the IETF Internet-Draft Standard PKC Test Keys and their files are stored in data directory.

Public key files are generated from them by openssl command.

% openssl rsa -in testRSA4096.p5p.prv -pubout -out testRSA4096.p8.pub
% openssl ec -in testP256.p5p.prv -pubout -out testP256.p8.pub

Trust Model

classDiagram
  direction LR
  class RootCA {
    CN=Root CA, O=Foo Industries Limited, C=US
    key=testECCP256
  }
  class IssuingCA {
    CN=Intermediate CA, O=Foo Industries Limited, C=US
    key=testRSA4096
  }
  class EndEntities {
    key=testRSA2048
  }
RootCA --|> IssuingCA
IssuingCA --|> EndEntities
Loading

Sample Certificate Field Difference Table

Difference among S/MIME BR sample certificate fields is shown in the following table:

Field Mailbox Organization Sponsored Individual
Strict Multi Legacy Strict Multi Legacy Strict Multi Legacy Strict Multi Legacy
Subject E o o o o o o o o o o o o
Subject CN email email email - - - fullname fullname fullname fullname fullname fullname
Subject SN - - - - - - o o o o o -
Subject GN - - - - - - o o o o o -
Subject O - - - o o o o o o - - -
Subject organizationIdentifier - - - o o o o o o - - -
Subject Other(DC) - - - - - o - - o - - o
Certificate Policies specific specific specific specific specific specific specific specific specific specific specific specific
EKU emailProtection o o o o o o o o o o o o
EKU clientAuth - o o - o o - o o - o o
CRLDistributionPoints HTTP o o o o o o o o o o o o
CRLDistributionPoints LDAP - - o - - o - - o - - o
SAN RFC822 o o o o o o o o o o o o
SAN Other smtpUTF8Mbox o o o o o o o o o o o o
SAN Other UPN - o o - - o - o o - o o
SAN DN CN - - - - - - fullname fullname fullname fullname fullname fullname
SAN DN SN - - - - - - o o o o o -
SAN DN GN - - - - - - o o o o o -
SAN DN O - - - o o o o o o - - -
SAN DN organizationIdentifier - - - o o o o o o - - -
LEI - - - - - - o o o - - -
Role - - - - - - o o o - - -
SubjectDirectoryAttributes - - o - - o - - o - - o

View Generated Certificates

Root CA Intermediate CA
view view
Strict Multi Purpose Legacy
Mailbox view view view
Organization view view view
Sponsored view view view
Individual view view view

Difference between smbr-cert-factory project and this project

  • longer validity period in certs and CRLs (rootCA, interediateCA: 11yrs, legacy:1185days, strict,multi:825days) from Apr 1, 2023.
  • add missing {mailbox,organization,sponsored}-validated_legacy certificates

ToDo

  • Current jsrsasign can only handle LEI and Role extension in primitive way. This needs jsrsasign update.

About

S/MIME Baseline Requirements Sample Certificate Generator by jsrsasign

Resources

License

Stars

Watchers

Forks

Packages

No packages published