There are several Registration Authority subsystems: 1. Java-based RA subsystem "module" in Tomcat subsystems 2. Apache HTTPD-based RA subsystem which no longer exists This ticket concerns about the Java-based RA subsystem "module" in Tomcat subsystems.
The RA subsystem "module" is supposed to be a class inheriting from the IRegistrationAuthority interface. This "module" is used by non-CA subsystems to check the certificate revocation status since they don't have direct access to the certificate database.
The problem is the "module" currently does not exist. There is no class inheriting the IRegistrationAuthority interface, and there is no RA subsystem "module" configured in any of the Tomcat subsystems. Currently the certificate-based authentication is failing silently and incorrectly passing all revoked certificates.
Proposed fix: 1. Change the code to fail the authentication if the RA subsystem "module" is missing. 2. Implement an RA subsystem "module" or change CMS.isRevoked() to verify the certificate against the CA directly without the RA subsystem "module".
This ticket is needed by the following tickets which are scheduled for 10.2.2:
Per discussion with jmagne and cfu, there are some options to fix issue #2:
The first option is preferable since it's more standard and probably can be implemented with existing OCSPClient.
This problem only affects non-CA subsystems running in shared instance. Non-CA subsystems running in separate instances can use OCSP to work with a remote OCSP responder.
If revocation checking in shared instance is critical, this ticket should be fixed in 10.2.2. Otherwise, this ticket (also #1134 and #1182) probably can be moved into 10.3.
Per triage meeting of 2/25/2015: 10.2.3
This ticket is merged into #1202.
Metadata Update from @edewata: - Issue set to the milestone: 10.2.3
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1812
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.