Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8152

Prevent broken certificate chain from being imported in the CLI using the 'ca importca' command

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.2.0
    • Component/s: None
    • Labels:
    • Provenance:
      Internal Delivery
    • Sprint:
      EJBCA Team Bob - 2019 w18, EJBCA Team Bob - 2019 w21

      Description

      It is currently possible to import a certificate chain

      (c0, c1.. cn) for n > 1 where ∃i, 0 < i <= n ; !signedBy(c_{i-1}, c_i)
      

      using ejbca.sh. This should never be possible.

      E.g. concat a foreign root with an issuing CA and save as broken_chain.pem
      > cat foreign_root.pem >> issuing_ca.pem
      > mv issuing_ca.pem broken_chain.pem
      > /opt/ejbca/bin/ejbca.sh ca importca --caname "Issuing CA" --cert /root/broken_chain.pem --hard --cp org.ejbca.core.model.ca.catoken.PKCS11CAToken --ctpassword foo123 --prop /root/ca.conf
      Importing hard token.

      The fix if you make this mistake, appears to be pretty straightforward, you can drop the incorrect entry in CAData and then reimport.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bastianf Bastian Fredriksson
              Reporter:
              bastianf Bastian Fredriksson
              Verified by:
              Samuel Lidén Borell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2 hours Original Estimate - 2 hours
                  2h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 hours
                  5h