Re: [OpenXPKI-users] cert import imports into wrong realm

Fri, 06 Sep 2024 07:55:52 -0700 

Am 06.09.24 um 09:33 schrieb Martin Bartosch:

Hi,


I have an issue with cert import.

I have several realms defined, the 2 involved here are "xca" and "prodxca".

If I import a cert into "prodxca" it gets imported into "xca" and I cannot 
figure out why:

$ openxpkicli --realm prodxca --arg data="$(cat prodxca/import/013C522BCC6F5A2B.crt)" 
--arg profile="tls_server" --arg update=1 import_certificate
{
   "authority_key_identifier" : null,
..
   "pki_realm" : "xca",
..
}


Check your command line: the JSON argument to import_certificate says xca.



the command line is the one above and I don't see a reference to "xca":

$ openxpkicli --realm prodxca --arg data="$(cat prodxca/import/013C522BCC6F5A2B.crt)" 
--arg profile="tls_server" --arg update=1 import_certificate

The command logged into realm prodxca:

==> /var/log/openxpki/openxpki.log <==
2024/09/06 14:09:21 INFO Login successful (user: Anonymous, role: System) 
[pid=55746|sid=0E7d|pki_realm=prodxca]

so the realm used is "prodxca".

I think i know what's causing the observed behaviour.

The cert 013C522BCC6F5A2B.crt was first imported in realm xca. If i try to import the 
same cert into realm prodxca it fails with "Cert already exists", despite the 
fact, i specified different realms. import With update=1 changes the cert in realm xca, 
even if i specify realm=prodxca.

If I have an issuer cert in realm xca and import a cert signed by this issuer 
in realm prodxca the cert will be imported into realm xca, the issuer's realm. 
this is described in Server/API2/Plugin/Cert/import_certificate.pm but I'm not 
sure I understand the reasons for it. I expected, the realms are separated, 
certificates are only visible in the specified realm. Certs without realm are 
visible to all realms.

But pki_realm is not in the where clause, the check searches in all realms:

    # Check if the certificate is already in the PKI
    my $existing_cert = $dbi->select_one(
        from => 'certificate',
        columns => [ qw( identifier pki_realm status req_key ) ],
        where => { identifier => $cert_identifier },
    );

I quickly scanned the code and found more statements without pki_realm in the 
where clause, so it seems to be a design decision. Why are the certificates not 
separated by pki_realm?

Best,
-ap


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to