Menu
▾
▴
Re: [Ejbca-develop] EJBCA is checking for serial number collisions after generating the certificate
|
From: Tomas G. <to...@pr...> - 2019-03-12 08:52:54
|
Hi Jaime, Good point about CT pre-certs. With "no certificates" we mean the final certificate. The CT pre-certificate is by definition not a "certificate", it's a "pre-certificate" and can by construct (poison extension) not be used as a certificate. Of course, the issuance of a pre-certificate has it's own consequences such as having to revoke it. Though, as you know, CT is only used for public trust issued certificates, and there it is not allowed to use 32 bit serial numbers. In fact more than 64 bit serial numbers are needed. This makes this discussion mostly academic. Regards, Tomas On 2019-03-11 16:37, Jaime Hablutzel wrote: > Quoting > from https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/OVKywVZIBgAJ: > > In addition to random serial numbers, EJBCA checks for collisions, > so even in the very unlikely event of equal serial numbers being > generated, *no certificates with duplicated serial numbers should be > issued from a CA based on the EJBCA software*. By comparison, > collisions do happen regularly in testing when using 32 bit serial > numbers (and are averted), so the underlying checks function as we > expect. > > > Where the highlighted text is not correct, because, as observed from the > trunk source around r31776, if a newly generated random serial number > (generated by > org.cesecore.certificates.ca.internal.SernoGeneratorRandom#getSerno) > results that is being used by an existing certificate, a new > collisioning certificate is still generated (and CT precertificate > published!) but it is discarded only before trying to store it in the > database, when the collision validation is performed > (org.cesecore.certificates.certificate.CertificateCreateSessionBean#assertSerialNumberForIssuerOk). > > It isn't the expected behaviour. Isn't it?. > > -- > Jaime Hablutzel - RPC 994690880 > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
