Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4091

Prompt for a single end entity password during statedump import

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Won't Do
    • Affects Version/s: EJBCA 6.2.7
    • Fix Version/s: None
    • Component/s: CLI

      Description

      Current implementation of statedump will prompt a user for password for each end entity separately during the import, unless the --end-entity-password option is used.

      Although this does provide quite a bit of flexibility (separate passwords for separate end entities), it makes it a bit cumbersome when there is more than a couple of end entities present in the statedump.

      It would be nice if there was an option to toggle between providing a single password (used for all end entities), and providing a separate password for each single end entity.

      There is even some benefits in making one-password-for-all end entities behaviour the default one (currently we mostly use the --end-entity-password).

      The reason I'm asking for this feature instead of using the --end-entity-password option is in order to avoid leaking the password to other processes, and also being able to type-in the password interactively during the key ceremony without need to disconnect the monitor (so the password would not get leaked).

      Some desirable characteristics for password-entry process:

      • Figure out at the beginning of statedump if there are any end entities available in statedump, and if so present password prompt before proceeding with import.
      • Password must be provided twice, in succession (i.e. enter/repeat password prompt), in order to avoid user mistypes.

      Additional notes:
      Technically, if we had something like ECA-3918, we could probably completely do away with providing password at this stage, maybe generating completely random passwords instead during import and not caring about them.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            branko Branko Majic (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: