Menu
▾
▴
Re: [Ejbca-develop] EJBCA is checking for serial number collisions after generating the certificate
|
From: Jaime H. <hab...@gm...> - 2019-03-12 12:19:26
|
On Tue, Mar 12, 2019, 3:53 AM Tomas Gustavsson <to...@pr...> wrote: > Hi Jaime, > > Good point about CT pre-certs. With "no certificates" we mean the final > certificate. The final collisioning certificate is generated too. Take a look at the source code before the call to org.cesecore.certificates.cer tificate.CertificateCreateSessionBean#assertSerialNumberForIssuerOk. The CT pre-certificate is by definition not a > "certificate", it's a "pre-certificate" and can by construct (poison > extension) not be used as a certificate. > > Of course, the issuance of a pre-certificate has it's own consequences > such as having to revoke it. > Though, as you know, CT is only used for public trust issued > certificates, and there it is not allowed to use 32 bit serial numbers. > In fact more than 64 bit serial numbers are needed. This makes this > discussion mostly academic. > > Regards, > Tomas > > > On 2019-03-11 16:37, Jaime Hablutzel wrote: > > Quoting > > from > https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/OVKywVZIBgAJ > : > > > > In addition to random serial numbers, EJBCA checks for collisions, > > so even in the very unlikely event of equal serial numbers being > > generated, *no certificates with duplicated serial numbers should be > > issued from a CA based on the EJBCA software*. By comparison, > > collisions do happen regularly in testing when using 32 bit serial > > numbers (and are averted), so the underlying checks function as we > > expect. > > > > > > Where the highlighted text is not correct, because, as observed from the > > trunk source around r31776, if a newly generated random serial number > > (generated by > > org.cesecore.certificates.ca.internal.SernoGeneratorRandom#getSerno) > > results that is being used by an existing certificate, a new > > collisioning certificate is still generated (and CT precertificate > > published!) but it is discarded only before trying to store it in the > > database, when the collision validation is performed > > > (org.cesecore.certificates.certificate.CertificateCreateSessionBean#assertSerialNumberForIssuerOk). > > > > It isn't the expected behaviour. Isn't it?. > > > > -- > > Jaime Hablutzel - RPC 994690880 > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
