Per rfc 5272 "Full PKI Request" description, SignedData could be used with "a previously certified signature key"
As a provision for Proof of Origin for non-signing cert requests, this is the solution to allow non-signing cmc cert requests to be signed by a previously-issued signing certificate of the same subjectDN.
The server should be able to
The expected workflow is that with the feature provided in https://pagure.io/dogtagpki/issue/2613, a signing cert is issued to an entity, whereby Proof of Origin was complete; From here on, any non-signing cert requests belong to the same entity can be "origin-proved" by signing with the initial signing certificate.
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1419756
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue priority set to: 2
Metadata Update from @mharmsen: - Custom field component adjusted to CMC (was: General) - Custom field origin adjusted to RHCust (was: Community) - Custom field type adjusted to enhancement (was: defect)
Metadata Update from @cfu: - Issue assigned to cfu
commit 3ff9de6a517d7fdcdee6c4a8c884eff052f8f824 Author: Christina Fu cfu@redhat.com Date: Fri Apr 28 17:55:17 2017 -0700
Ticket #2717 CMC user-signed enrollment request This patch provides implementation that allows user-signed CMC requests to be processed; The resulting certificate will bear the same subjectDN as that of the signing cert; The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: CMCUserSignedAuth and new profile default plugin: CMCUserSignedSubjectNameDefault and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
Metadata Update from @cfu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
commit f31ad87440332845e7e5a1d6ea1f092fefd9eef1 Author: Christina Fu cfu@redhat.com Date: Fri Apr 28 20:05:44 2017 -0700
Ticket #2617 added the new caFullCMCUserSignedCert profile in CS.cfg
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.3 (was: 10.4)
On 06/03/2017, cfu wrote:
While working on CMC revocation, I found out that the method I was using in CMCUserSignedAuth does not validate cert for validity and revocation status (I thought it would). I have put together a patch this morning to add the checks.
mharmsen re-opened this ticket.
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4 (was: 10.4.3) - Issue status updated to: Open (was: Closed)
Metadata Update from @mharmsen: - Issue priority set to: blocker (was: critical)
This patch adds the missing revocation check (and possibly validity check) The code that CMCUserSignedAuth originated from, CMCAuth, has a confusing comment where it states: // verify signer's certificate using the revocator right above the CryptoManager.isCertValid() call. Which mislead me into believing that the call checks for revocation status.
Pushed to master commit 380f7fda040cc5d394e34eead45ebb921532cc07 Author: Christina Fu cfu@redhat.com Date: Mon Jun 5 08:50:25 2017 -0700
Ticket #2617 part2: add revocation check to signing cert
commit aa39354dbbf9df404f6ad374c837db0c421f2705 Author: Christina Fu cfu@redhat.com Date: Mon Jun 5 08:50:25 2017 -0700
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.8 (was: 10.4)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.9 (was: 10.4.8)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2737
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.