artem-smotrakov opened a new pull request #4065: URL: https://github.com/apache/cloudstack/pull/4065
## Description This update turns on certificate revocation checking for uploaded certificates: - Updated `CertServiceImpl` to be able to enable revocation checking. - Introduced a new parameter `ENABLED_REVOCATION_CHECK` for `UploadSslCertCmd`. - Updated `CertServiceTest`. Even if no CLRs are specified via `PKIXParameters`, the certificates themselves may still provide info for revocation checking: - The AIA extension may contains a URL to the OCSP responder. - The CLRDP extension contains a URL to the CLR. Those extensions may need to be explicitly enabled by setting the system properties `com.sun.security.enableAIAcaIssuers` and `com.sun.security.enableCRLDP` to true. See [Java PKI Programmer's Guide](https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html). Using a revoked certificate may be dangerous. One of the most common reasons why a certificate authority (CA) revokes a certificate is that the private key has been compromised. For example, the private key might have been stolen by an adversary. If I understand correctly, the `CertServiceImpl` bean is used for operations with certificates on a load balancer. In particular, it validates a certificate chain without revocation checking while uploading a certificate. If a compromised revoked certificate is then used by the load balancer, then it may result to compromising TLS connections. However, the attacker has to be able to implement man-in-the-middle attack to compromise the connections. So the attacker has to be quite powerful. Therefore, such an attack is definitely not easy to implement. On the other hand, the impact may be significant because of loss of confidentiality. This has been discussed on [email protected] ## Types of changes - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] New feature (non-breaking change which adds functionality) - [ ] Bug fix (non-breaking change which fixes an issue) - [x] Enhancement (improves an existing feature and functionality) - [ ] Cleanup (Code refactoring and cleanup, that may add test cases) ## How Has This Been Tested? Updated one test case and added a new one in `CertServiceTest`. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
