The TLS Observatory certificate tool is not giving the correct IsTechnicallyConstrained result for some certificates. For example, when a certificate only has 1.3.6.1.4.1.311.10.3.12 in the EKU, the tool should return true in IsTechnicallyConstrained.
To summarize the logic that should be in the code...
1) IsTechnicallyConstrained is false when the certificate does not contain the EKU extension.
2) IsTechnicallyConstrained is false when the EKU extension contains the anyExtendedKeyUsage KeyPurposeId (2.5.29.37.0. 2)
3) IsTechnicallyConstrained is true when the EKU extension is present and does NOT contain either the id-kp-serverAuth KeyPurposeId (1.3.6.1.5.5.7.3.1) or the id-kp-emailProtection KeyPurposeId (1.3.6.1.5.5.7.3.4).
4) If the EKU includes the id-kp-serverAuth KeyPurposeId, then IsTechnicallyConstrained can only be true if there is at least one dNSName, iPAddress range or DirectoryName in permittedSubtrees in the Name Constraints extension. (for details see section 7.1.5 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf)
5) If the EKU includes the the id-kp-emailProtection KeyPurposeId, then IsTechnicallyConstrained can only be true if the Name Constraints extension has constraints on rfc822Name with at least one name in permittedSubtrees.
The TLS Observatory certificate tool is not giving the correct IsTechnicallyConstrained result for some certificates. For example, when a certificate only has 1.3.6.1.4.1.311.10.3.12 in the EKU, the tool should return true in IsTechnicallyConstrained.
The logic for IsTechnicallyConstrained should match the policy here: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#531-technically-constrained
To summarize the logic that should be in the code...
1) IsTechnicallyConstrained is false when the certificate does not contain the EKU extension.
2) IsTechnicallyConstrained is false when the EKU extension contains the anyExtendedKeyUsage KeyPurposeId (2.5.29.37.0. 2)
3) IsTechnicallyConstrained is true when the EKU extension is present and does NOT contain either the id-kp-serverAuth KeyPurposeId (1.3.6.1.5.5.7.3.1) or the id-kp-emailProtection KeyPurposeId (1.3.6.1.5.5.7.3.4).
4) If the EKU includes the id-kp-serverAuth KeyPurposeId, then IsTechnicallyConstrained can only be true if there is at least one dNSName, iPAddress range or DirectoryName in permittedSubtrees in the Name Constraints extension. (for details see section 7.1.5 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf)
5) If the EKU includes the the id-kp-emailProtection KeyPurposeId, then IsTechnicallyConstrained can only be true if the Name Constraints extension has constraints on rfc822Name with at least one name in permittedSubtrees.
Background:
This issue is in regards to: https://tls-observatory.services.mozilla.com/api/v1/certificate We use this tool to add certificates to the Common CA Database (CCADB).
Example: curl -X POST -F certificate=@SECOMpassportPlusCA1G1.pem https://tls-observatory.services.mozilla.com/api/v1/certificate
In this example, SECOMpassportPlusCA1G1.pem is the PEM for the “SECOM Passport Plus CA1 G1” certificate, e.g. https://crt.sh/?d=6670931376
The result has "mozillaPolicyV2_5":{"IsTechnicallyConstrained":false}} But it should be true.