Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7785

New validator phase that will run before using the CA private key to sign the tbsCertificate

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.1.0
    • Component/s: None
    • Labels:
      None
    • Provenance:
      Internal Delivery
    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Team Alice - 2019 w10

      Description

      There is a need to do certificate linting, and to abort certificate issuance if linting fails. Currently this can be done on the CT pre-certificate, but signing a CT pre-certificate is a contract to issue the real certificate. If linting fails the consensus is that the real certificate should be issued and revoked. Or at a minimum the issuerDN/serialNumber should be revoked, even if the CT pre-certificate was never submitted to any CT logs.

      We woul like to validate certificates before using the CA private key to sign them (either the certificate or the precertificate).
      This can be done by adding a new Validator phase, that will run before the PRE_CERTIFICATE_VALIDATOR phase.
      Before adding the CT extension, use the certbuilder to sign the cert with a dummy (hardcoded) key, and then run the validators.

      There seems to be consensus in the CT list that my signing using a dummy key, the CA has not actually done anything and it's ok to simply discard and abort if the validator fails.

      See: https://groups.google.com/forum/#!topic/certificate-transparency/sDRcVBAgjCY

      See patch in linked issue. Original contributor Fotis Loukos.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Amin Khorsandi
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 days
                  4d
                  Remaining:
                  Time Spent - 3 days Remaining Estimate - 1 day
                  1d
                  Logged:
                  Time Spent - 3 days Remaining Estimate - 1 day
                  3d