Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8377

Regression: Fast-fail is triggered when a CT submission is interrupted

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: EJBCA 7.2.1
    • Fix Version/s: EJBCA 7.3.1
    • Component/s: None
    • Labels:
    • Issue discovered during:
      Jenkins
    • Sprint:
      EJBCA Team Bob - 2019 w42

      Description

      Due to the way we handle thread interruptions in the Certificate Transparency code, we end up adding logs with interrupted submissions to the fast-fail cache. This causes slow logs to be completely ignored, which may or may not be what you want.

      Interrupted submissions should result in the log being added to the fast-fail cache if the log timed out, but not if it was just slower than the other logs.

      org.cesecore.certificates.certificatetransparency.CTLogException: Minimum requirements for SCTs was not was not satisfied for certificate 'localhost'. Unsatisfied labels: Log Label A. Log has been temporarily disabled due to earlier error: Thread was interrupted
      	at org.cesecore.certificates.certificatetransparency.CtSubmission.checkAndCacheResult(CtSubmission.java:390)
      	at org.cesecore.certificates.certificatetransparency.CtSubmission.submit(CtSubmission.java:375)
      	at org.cesecore.certificates.certificatetransparency.CertificateTransparencyImpl.fetchSCTList(CertificateTransparencyImpl.java:177)
      	at org.cesecore.certificates.certificatetransparency.CertificateTransparencyImpl.fetchSCTList(CertificateTransparencyImpl.java:273)
      	at org.cesecore.certificates.certificatetransparency.CTLogTest.fetchSCTList(CTLogTest.java:828)
      	at org.cesecore.certificates.certificatetransparency.CTLogTest.fetchSCTList(CTLogTest.java:812)
      	at org.cesecore.certificates.certificatetransparency.CTLogTest.testLogLabels2(CTLogTest.java:302)
      

      As a workaround, the CT fast-fail cache can be disabled by setting the property ct.fastfail.enabled=false in cesecore.properties and rebuilding and redeploying EJBCA (ant clean deployear)

      Steps to verify the bugfix

      1. Set up first CT log
        1. Add EJBCA CA (e.g. ManagementCA) to trusted CAs
        2. Extract CT log public key
      2. Set up second CT log (for testing you can re-use the key when creating the log)
        1. Add EJBCA CA (e.g. ManagementCA) to trusted CAs
        2. Extract CT log public key
      3. EJBCA: Go to System Configuration -> Certificate Transparency Logs
      4. Add first CT log
        1. Enter first CT log URL
        2. Select public key from first CT log
        3. Timeout: 5000
        4. Label: Test
      5. Add second CT log
        1. Enter second CT log URL
        2. Select public key from second CT log
        3. Timeout: 60000 (60 thousand)
        4. Label: Test
      6. Create first Certificate Profile
        1. Name: CT1
        2. Use Certificate Transparency in new certificates: Yes
        3. Min SCTs: Custom, 1
        4. Max SCTs: Custom, 1
        5. Labels: Test
      7. Create second Certificate Profile
        1. Name: CT2
        2. Use Certificate Transparency in new certificates: Yes
        3. Min SCTs: Custom, 2
        4. Max SCTs: Custom, 2
        5. Labels: Test
      8. Create End Entity Profile
        1. Name: CT
        2. Available CAs: Any CA
        3. Default Certificate Profile: CT1
        4. Available Certificate Profiles: CT1, CT2
      9. Pause second CT log VM (or process)
      10. Go to RA web
      11. Go to Make New Request
        1. Type: CT
        2. Subtype: CT1
        3. Key generation: On server
        4. RSA 2048
        5. Common Name: CT1
        6. Username: ct1
        7. Password: foo123
        8. Press "Generate PKCS#12"
      12. When the .p12 file has been received, resume the paused CT log VM
      13. Go to Make New Request
        1. Type: CT
        2. Subtype: CT2
        3. Key generation: On server
        4. RSA 2048
        5. Common Name: CT2
        6. Username: ct2
        7. Password: foo123
        8. Press "Generate PKCS#12"

      Expected results
      You should receive a .p12 file.

      NOTE: I used a slightly different approach, using "netcat" and copy pasting instead of using a second CT log.

        Attachments

          Activity

            People

            Assignee:
            samuel Samuel Lidén Borell
            Reporter:
            samuel Samuel Lidén Borell
            Verified by:
            Jekaterina Bunina
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 week
                1w
                Remaining:
                Time Spent - 1 day, 3 hours, 30 minutes Remaining Estimate - 3 days, 4 hours, 30 minutes
                3d 4h 30m
                Logged:
                Time Spent - 1 day, 3 hours, 30 minutes Remaining Estimate - 3 days, 4 hours, 30 minutes
                1d 3h 30m