Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7756

Improve error message when CA signingkey was changed without renewing CA certificate

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.0.1
    • Component/s: None
    • Labels:
      None
    • Provenance:
      Internal Delivery
    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Team Alice - 2019 w6

      Description

      The error message "java.security.SignatureException: certificate does not verify with supplied key" happens several times in support. The error message and result is perfectly fine, but the user does not understand it. It can easily be clarified with something like this in X.509CA:

       

      try {
       cert.verify(verifyKey);
       } catch (SignatureException e) {
         final String msg = "Public key in the CA certificate does not match the configured certSignKey, is the CA in renewal process? : " + e.getMessage();
         log.warn(msg);
         throw new CertificateCreateException(msg, e);
       } catch (InvalidKeyException e) {
         throw new CertificateCreateException("CA's public key was invalid,", e);
       } catch (NoSuchAlgorithmException e) {
         throw new CertificateCreateException(e);
       } catch (NoSuchProviderException e) {
         throw new IllegalStateException("Provider was unknown", e);
       } catch (CertificateException e) {
         throw new CertificateCreateException(e);
       }

       

      Just adding one catch clarifying the message to "Public key in the CA certificate does not match the configured certSignKey, is the CA in renewal process?: java.security.SignatureException: certificate does not verify with supplied key"

       

      To test:

      • Have a CA that is working to issue end entity certificates
      • generate a new key in the CA cryptotoken
      • modify the CA to use the new key as "certSignKey", for example using bin/ejbca.sh ca changecatoken
      • issue a new end entity certificate, it should fail, with the above error message
      • add the above patch
      • issue a new end entity certificate, it should fail, now with a more clear error message
      • change back to the original certSignKey
      • issue an end entity certificate, it should succeed

      Example command:

      bin/ejbca.sh ca changecatoken --caname "3GPP CA" --cryptotoken ManagementCA --tokenprop tokenprop.properties

      where tokenprop.properties, with new keys:

      defaultKey defaultKey
      certSignKey signKey
      crlSignKey signKey
      keyEncryptKey defaultKey
      hardTokenEncrypt defaultKey
      testKey testKey

       

        Attachments

          Activity

            People

            Assignee:
            tomas Tomas Gustavsson
            Reporter:
            tomas Tomas Gustavsson
            Verified by:
            Bastian Fredriksson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 hour
                1h
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h