#2618 Allow CA to process pre-signed CMC renewal non-signing cert requests
Closed: fixed 6 years ago Opened 7 years ago by mharmsen.

Per rfc 5272, section 6.3.3 Renewal and Rekey Messages,
renewal can be achieved by signing from a previously issued signing
certificate.

This task should allow both signing and non-signing cmc renewal cert requests
to be signed by a previously-issued signing certificate of the same subjectDN.

The server should be able to

  1. verify the signature
  2. match the signer with the certificate request subject
  3. approve or deny

Note: since the spec did not specifically embed any control to allow CA to tell
if the request is a new request or renewal request (sometime it probably
doesn't matter), we may have to have logic in the CA to find out

  1. what certs are under the same subjectDN
  2. whether this is a renewal or new request
  3. if renewal, which cert is it renewing
    (as some sites might have renewal policies, we need to put that into
    consideration)

This task might be companioning task for
https://pagure.io/dogtagpki/issue/2617
(same assignee is recommended)


Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1419761

7 years ago

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1419761

7 years ago

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to Community
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue priority set to: 2

7 years ago

Metadata Update from @mharmsen:
- Custom field component adjusted to CMC (was: General)
- Custom field origin adjusted to RHCust (was: Community)
- Custom field type adjusted to enhancement (was: defect)

7 years ago

Metadata Update from @cfu:
- Issue assigned to cfu

6 years ago

commit 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb
Author: Christina Fu cfu@redhat.com
Date: Fri May 19 11:55:14 2017 -0700

Ticket#2618 feature: pre-signed CMC renewal request

This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate.  It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint.  They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.

commit 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb
Author: Christina Fu cfu@redhat.com
Date: Fri May 19 11:55:14 2017 -0700

Ticket#2618 feature: pre-signed CMC renewal request

This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate.  It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint.  They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.

commit 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb
Author: Christina Fu cfu@redhat.com
Date: Fri May 19 11:55:14 2017 -0700

Ticket#2618 feature: pre-signed CMC renewal request

This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate.  It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint.  They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.

Metadata Update from @cfu:
- Issue close_status updated to: fixed

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.5 (was: 10.4)

6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.4.7-1.fc27

6 years ago

Found an issue in UniqueKeyConstraint.java where the subjectDN matching fails to work. A working patching is about to be submitted.

Reopening this ticket.

Metadata Update from @cfu:
- Issue status updated to: Open (was: Closed)

6 years ago

commit 2d69d9332eea7ddc5205dc9e44d15452be4be61f
Author: Christina Fu cfu@redhat.com
Date: Tue Jun 20 15:04:12 2017 -0700

Ticket #2618 UniqueKeyConstraint fix on subjectDN comparison

Metadata Update from @cfu:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.9 (was: 10.4.5)

6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion reset (from pki-core-10.4.7-1.fc27)

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2738

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata