Re: [OpenCA-Devel] Problem with CSRs exported to CA

Fri, 07 Mar 2014 06:06:28 -0800 

Hello Nicolas,
I think you were looking at the right place. The function exportDB in export-import.lib holds a list of states which shall be exported. TEMPNEW is not among the ones to be exported, so these requests which are not validated should not even leave the 
RA. Nevertheless, it would make sense to handle TEMPNEW in importObjects
just in case. However, all other states should already be handled correctly, at least for Openca-base 1.5.1. In the output below I can't see any export of a request. Could you try to export the data base with requests of different states ( TEMPNEW / 
NEW / APPROVED ) and check the tar file how they are written to the device?

best regards,
Martin
PS: I'm suggesting the attached patch to make sure the TEMPNEW state is correctly 
handled during import

On 02/28/2014 03:35 PM, Nicolas Macia (CeSPI) wrote:

I left to say that this behavior happend on:
- Openca-base 1.5.1 / Openca-tools 1.3.0 on Debian 7 (Stable)
- Openca-base 1.1.1 / Openca-tools 1.3.0 on Debian 6 (Old Stable)

I think that this problem could be related with another bug related with
putting all objects (CA CERT / CERTIFICATE / REQUEST) in all different
categories regardless their status: CACERT [valid / expired] , REQUEST
[new / renew / pending / signed / approved / archived / deleted] ,
CERTIFICATE [valid / expired / revoked / suspended]

For example, on OpenCA 1.5.1 on my CA that have:
- one CA cert
- one CRL
- two valid certificates

if I make on the node interface:
Node Ops -> Backup and Recovery -> Database

I can see the following:

Thursday 27 February 21:48:13 UTC
Exporting DB ...
Please wait until operation completes
Exporting valid CA_CERTIFICATE ...

Exporting all necessary objects.

cc2821c7d9025aadb34c467ea115980f3e64690b.pem

Exporting expired CA_CERTIFICATE ...

Exporting all necessary objects.

cc2821c7d9025aadb34c467ea115980f3e64690b.pem

Exporting new CRR ...

No objects are present.

Exporting pending CRR ...

No objects are present.

Exporting signed CRR ...

No objects are present.

Exporting approved CRR ...

No objects are present.

Exporting archived CRR ...

No objects are present.

Exporting deleted CRR ...

No objects are present.

Exporting valid CRL ...

Exporting all necessary objects.

1.pem

Exporting new REQUEST ...

Exporting all necessary objects.

256.spkac

512.spkac

Exporting renew REQUEST ...

Exporting all necessary objects.

256.spkac

512.spkac

Exporting pending REQUEST ...

Exporting all necessary objects.

256.spkac

512.spkac

Exporting signed REQUEST ...

Exporting all necessary objects.

256.spkac

512.spkac

Exporting approved REQUEST ...

Exporting all necessary objects.

256.spkac

512.spkac

Exporting archived REQUEST ...

Exporting all necessary objects.

256.spkac

512.spkac

Exporting deleted REQUEST ...

Exporting all necessary objects.

256.spkac

512.spkac

Exporting valid CERTIFICATE ...

Exporting all necessary objects.

998806535358870519861744.pem

419063751874877379914325.pem

Exporting expired CERTIFICATE ...

Exporting all necessary objects.

998806535358870519861744.pem

419063751874877379914325.pem

Exporting revoked CERTIFICATE ...

Exporting all necessary objects.

998806535358870519861744.pem

419063751874877379914325.pem

Exporting suspended CERTIFICATE ...

Exporting all necessary objects.

998806535358870519861744.pem

419063751874877379914325.pem

Exporting archive ...

Load required variables ...

Changing to directory /home/openca/OpenCA/var/openca/tmp/tmp_19420 ...

Running the export command(s) ...

/bin/tar -cvpf /tmp/openca_local -C 
/home/openca/OpenCA/var/openca/tmp/tmp_19420 .

Archive created successfully.

Test the archive ...

/bin/tar -tvf /tmp/openca_local

Clean up ...Ok.




Nicolás Macia
_____________
CERTunlp

El 27/02/14 21:48, Nicolas Macia escribió:

Hello, I have a problem.

After requesting Digital Cert at public site, an URL is sent to the
requester to confirm his email address

The problem is what it is seen at RA interface:
- CSR confirmed using previous URL are tagged with state NEW
- CSR not confirmed are tagged with state TEMPNEW
- Approved CSR are tagged with state APPROVED

When I use the node interface to exchange information to the CA, all CSR of ANY 
STATE are exported to CA as approved REQUESTS.

Seems to me that the problem is that RA only should export approved
requests but it doesn't.

anyone who knows what is the problem here??


Thanks
Nico





-----
CeSPI
Centro Superior para el Procesamiento de la Información

Universidad Nacional de La Plata
-------------------------------------------------------------------------------
Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario



------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk


_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel




--- ./src/common/lib/functions/export-import.lib.orig	2010-02-22 00:25:44.000000000 +0100
+++ ./src/common/lib/functions/export-import.lib	2014-03-07 14:03:22.031816409 +0100
@@ -809,6 +809,8 @@
         $next_status = "PENDING";
       } elsif ( ($old_status =~ /RENEW/i) or ($new_status =~ /RENEW/i) ) {
         $next_status = "RENEW";
+      } elsif ( ($old_status =~ /TEMPNEW/i) or ($new_status =~ /TEMPNEW/i) ) {
+        $next_status = "TEMPNEW";
       } else {
         $next_status = "NEW";
       }

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to