dogtagpki

Clone
Source Code
GIT

#2617 Allow CA to process pre-signed CMC non-signing certificate requests
Closed: fixed 6 years ago Opened 7 years ago by mharmsen.

Closed: fixed
Reopen Issue

Per rfc 5272 "Full PKI Request" description, SignedData could be used with "a
previously certified signature key"

As a provision for Proof of Origin for non-signing cert requests, this is the
solution to allow non-signing cmc cert requests to be signed by a
previously-issued signing certificate of the same subjectDN.

The server should be able to

  1. verify the signature
  2. match the signer with the certificate request subject
  3. approve or deny

The expected workflow is that with the feature provided in
https://pagure.io/dogtagpki/issue/2613, a signing cert is issued
to an entity, whereby Proof of Origin was complete; From here on, any
non-signing cert requests belong to the same entity can be "origin-proved" by
signing with the initial signing certificate.

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1419756
7 years ago

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1419756
7 years ago

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to Community
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue priority set to: 2
7 years ago

Metadata Update from @mharmsen:
- Custom field component adjusted to CMC (was: General)
- Custom field origin adjusted to RHCust (was: Community)
- Custom field type adjusted to enhancement (was: defect)
7 years ago

Metadata Update from @cfu:
- Issue assigned to cfu
6 years ago

commit 3ff9de6a517d7fdcdee6c4a8c884eff052f8f824
Author: Christina Fu cfu@redhat.com
Date: Fri Apr 28 17:55:17 2017 -0700

Ticket #2717 CMC user-signed enrollment request
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint

Metadata Update from @cfu:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

commit f31ad87440332845e7e5a1d6ea1f092fefd9eef1
Author: Christina Fu cfu@redhat.com
Date: Fri Apr 28 20:05:44 2017 -0700

Ticket #2617 added the new caFullCMCUserSignedCert profile in CS.cfg

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.3 (was: 10.4)
6 years ago

On 06/03/2017, cfu wrote:

While working on CMC revocation, I found out that the method I was using in CMCUserSignedAuth does not validate cert for validity and revocation status (I thought it would). I have put together a patch this morning to add the checks.

mharmsen re-opened this ticket.

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4 (was: 10.4.3)
- Issue status updated to: Open (was: Closed)
6 years ago

Metadata Update from @mharmsen:
- Issue priority set to: blocker (was: critical)
6 years ago

This patch adds the missing revocation check (and possibly validity check)
The code that CMCUserSignedAuth originated from, CMCAuth, has a confusing comment where it states:
// verify signer's certificate using the revocator
right above the CryptoManager.isCertValid() call. Which mislead me into believing that the call checks for revocation status.

Pushed to master
commit 380f7fda040cc5d394e34eead45ebb921532cc07
Author: Christina Fu cfu@redhat.com
Date: Mon Jun 5 08:50:25 2017 -0700

Ticket #2617 part2: add revocation check to signing cert

commit aa39354dbbf9df404f6ad374c837db0c421f2705
Author: Christina Fu cfu@redhat.com
Date: Mon Jun 5 08:50:25 2017 -0700

Ticket #2617 part2: add revocation check to signing cert
Edited 6 years ago by mharmsen

Metadata Update from @cfu:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.8 (was: 10.4)
6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.9 (was: 10.4.8)
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2737

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
blocker
None
None
enhancement
''
None
None
None
''
RHCust
''
None
None
None
None
''
CMC
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.