Improvement to client function certimportdir(v9) #775
Conversation
Added ability to provide an alternate CA certificate (for renewed CAs) and allow revocation details to be derived from the filename.
Added additional tests for changes to the associated client function.
|
I'm sorry, but this fell between the chairs due to travels. If you rebase this one I promise to get it fixed for the next release. |
|
Synced to latest keyfactor:main. |
|
Internal ticket tracker: ECA-13369 |
| if ( sRevCode.equals("CESSATIONOFOPERATION")) sRevCode = "CESSATION_OF_OPERATION"; | ||
| if ( sRevCode.equals("CERTIFICATEHOLD")) sRevCode = "CERTIFICATE_HOLD"; | ||
| if ( sRevCode.equals("PRIVILEGESWITHDRAWN")) sRevCode = "PRIVILEGES_WITHDRAWN"; | ||
| if ( sRevCode.equals("CERTIFICATEHOLD")) sRevCode = "AA_COMPROMISE"; |
There was a problem hiding this comment.
Bug here in string names
There was a problem hiding this comment.
Well spotted. Will fix that.
| "Specify an alternate CA certificate file (in PEM). Use this option when importing certificates that were issued by the previous CA certificate. Please note that the supplied certificate is not verified.")); | ||
| registerParameter(new Parameter(REVOKEDETAILS, "Revocation Details", MandatoryMode.OPTIONAL, StandaloneMode.FORBID, ParameterMode.FLAG, | ||
| "Revocation details are to be derived from the filename of the certificate. The filename must end with '!<REASON>!<INVALIDITY_TIME>'. The REASON can be the value or label as described in RFC5280 section 5.3.1. " | ||
| + "INVALIDITY_TIME is formatted as '"+DATE_FORMAT_WINSAFE+"' and assumed to be the local timezone. Note: Filename extensions (ie., '.crt. or '.pem') are not supported. Please also note that any file without " |
There was a problem hiding this comment.
I think it would feel more consistent if revocation reason was an integer, the same as used when revoking certificates with ejbca.sh ra revokecert. Unessecary to have different parameters values in different places.
There was a problem hiding this comment.
Well it can be...I think the ability to use label complicates things and I would rather do without it. See RevokeCertificateCommand
There was a problem hiding this comment.
Perhaps. The CaImportCertCommand takes a text entry for revocation reason and not an integer code. The revocation reason text was confusing to me as the EJBCA's RevocationReason takes a different form than that in the RFC. I thought I'd allow an integer code, the RFC text label, as well as the EJBCA's text label.
| } | ||
|
|
||
| } catch (NumberFormatException e) { | ||
| // Not an integer, must be the full text |
There was a problem hiding this comment.
We could do without the full text imho. Keeping parameters simpler.
There was a problem hiding this comment.
See earlier comment.
| // Find the revocation details from the filename. The details are separated with an exclamation (!) character. | ||
| final String[] sa = file.getName().split("!"); | ||
| if (sa.length <3) { | ||
| log.error("ERROR: The revocation details are not found in filename '"+file.getName()+"'. Ignoring this file."); |
There was a problem hiding this comment.
Simply ignoring a file makes the import process fragile. The import job reports error about succesful or non-succesful imports. Simply ignoring it here makes this reporting not reporting correctly. Either the report job should instead report that details was missing for this file and thus import failed, or we should allow missing revocation reason and then allowing "standard" import for this.
There was a problem hiding this comment.
Because the operation is for a bulk set of files, the thinking here is to report an error, but allow the other files in the batch to be tried. Of course, if the whole batch is incorrectly labelled, then all files will show an error.
There was a problem hiding this comment.
I think the skipping of import and error reporting should be part of the CertificateImporter then. If so it will be part of the import summary printed in the end.
There was a problem hiding this comment.
I don't really follow this comment. If the option to use '--revoke-details-in-filename' is enabled, then the code should report any issues with each filename in the directory being imported, especially if the Revocation Reason or Invalidity Time is not provided in the filename. The Operator should not use the option '--revoke-details-in-filename' if the certificate filenames do not include the extra revocation syntax in the filename.
There was a problem hiding this comment.
But there is still some files will be imported that have the correct filename while other will be skipped with just a warning in the log that can easily disappear since it's only logged to the console. And in the end the command will state an "Import summary" which does not report anything on these skipped records. That is a bad "Import summary" imho. '--revoke-details-in-filename' should be robust against filenaming errors similar to it handling issuer errors, or errors with the file content being wrong. Wrong filename is a similar error to wrong file content and should be dealt with similarly.
This wh9le parsing for the reason code can be done in CertificateImporter instead, why not do it there?
There was a problem hiding this comment.
Added any errors to the Results, so as to fix the Import Summary. Example below of 3 incorrect filenames:
ERROR: The revocation details are not found in filename 'A_15710.cer'. Ignoring this file.
ERROR: '2023.OCT.09-12.01' was not a valid revocation time. Use this time format 'yyyy.MM.dd-HH.mm'. Ignoring this file '2024_11.!6!2023.OCT.09-12.01'.
ERROR: 'KEYSCOMPROMISE' is not a valid revocation reason. Ignoring this file '2024_12!KEYSCOMPROMISE!2022.05.04-20.59'.
Import summary:
0 certificates were imported successfully.
Time: 0.0 seconds (Infinity tps)
3 certificates were not imported due to other errors.
The Revocation "Reason Code" is not checked by CertificateImporter, so checking it is legal needs to be done in this code..
Fixed a typo.
|
I just though of a question on the revocation options. After importing certificates the CRL should also be imported which would also set the options of they are on the CRL. You anyhow must import the latest CRL for the CRL number to become correct. Can you describe the benefits of this in addition to importing the CRL? |
|
Hey Tomas.
That is a good idea! An ability to import a pre-existing CRL, and thus set
the revocation data using the CRL (and set the CRL number too). One issue
to be mindful of is that CRLs can contain references to expired certs, but
you may not have wanted to import all of these old inactive certs into
EJBCA. I guess the command would just need to list out any serial numbers
present in the CRL which are not known by EJBCA.
Another alternative is to have a "-crl <crl file>" option for the
certimportdir command. As certs are being imported, the CRL data is then
checked and any certificates listed in the CRL are automatically revoked
when imported. This would be a better approach than using the filename
structure as described in this pull request. I should look into this
further.
…On Mon, Jun 2, 2025 at 5:33 PM Tomas Gustavsson ***@***.***> wrote:
*primetomas* left a comment (Keyfactor/ejbca-ce#775)
<#775 (comment)>
I just though of a question on the revocation options. After importing
certificates the CRL should also be imported which would also set the
options of they are on the CRL. You anyhow must import the latest CRL for
the CRL number to become correct.
Can you describe the benefits of this in addition to importing the CRL?
(I can think of some)
—
Reply to this email directly, view it on GitHub
<#775 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A2VKRJGHSWES6WT5D5AIYLL3BP45JAVCNFSM6AAAAABVLAOSIGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSMRZGIZDEMBSG4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
There is this command today: bin/ejbca.sh ca importcrl --help |
|
Oh, I had not noticed the 'importcrl' command. I did some testing and this command works perfectly to revoke certs after importing them into the DB. I guess there isn't any real need for this pull request now. Feel free to cancel it. |
|
Great to hear it worked well. Perhaps we can point to the importcrl command in the help text for importcert? |
|
I just realised that the --cacert option is still useful. I'll have another look at this and trim the change down. |
|
Updates done to trim down code back to include the '--cacert' option only. |
| } finally { | ||
| fileOutputStream.close(); | ||
| } | ||
| // Delete the CA |
There was a problem hiding this comment.
Since the command doc says it is for old, i.e. renewed CA certificates. Wouldn't it make sense to renew the CA instead of deleting and re-creating it? See for example RenewCASystemTest for a simple example.
There was a problem hiding this comment.
Yes, good point. However the reason one would be importing certs into a new CA is that they are migrated an existing CA over to EJBCA. If this migrated CA had previous CA certs, then EJBCA does not know about them. This is reason to add the --cacert option to this command. Testing needs to follow that same process. If one was to renew the CA in EJBCA, then that CA would know the previous CA cert and the test may be flawed.
Describe your changes
When importing certificates into a newly migrated CA, the code performs a certificate verification based upon the CA's current certificate. A problem with this occurs when the certificates being imported had been issued from one of the CA's earlier certificates (ie., the CA was renewed but active end-enty certificates still need to be imported).
To remedy this, a new "--cacert" option allows the Operator to provide the CA's previous certificate, and this CA certificate will then be used to verify the certificates being imported.
How has this been tested?
A systemtest has been ammended to test this change:
ant test:runone -Dtest.runone=CaImportCertDirCommandSystemTestChecklist before requesting a review
NOTE: This pull request is to replace #711