Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Serverside generated Tokens over CMP are labeled as usergenerated #408

Open
Sysidint opened this issue Nov 13, 2023 · 3 comments
Open

Serverside generated Tokens over CMP are labeled as usergenerated #408

Sysidint opened this issue Nov 13, 2023 · 3 comments

Comments

@Sysidint
Copy link

I'm using the Keyfactor Docker ejbca-ce version 8.0.0 (as a test case) to request client certificates from the server over CMP (with bouncycastle) with the server-side generated keys workflow. The certificates from the clients are used to encrypt files, therefore they need to be recoverable, so all server-side generated tokens are configured to be recoverable. The issue is, all CMP requested certificates are labeled in the RA GUI as user-generated and therefore are not recoverable. The CMP message from the client does not include a private key, the answer from the server includes a private key and certificate that i can extract and use.

My workflow is similar to https://github.com/rgorosito/ejbca/blob/master/modules/systemtests/src-test/org/ejbca/core/protocol/cmp/CrmfRequestTest.java -> test12ServerGeneratedKeys.

Is there a different way to recover CMP requested keys ? Or is this some unexpected behavior ?

At the very moment my request does not contain a certificate template with unique values, i'm just sending the new user (userDN), the public key for the encryption secret and the algorithms that should be used.

@primetomas
Copy link
Collaborator

primetomas commented Nov 15, 2023

Hi,
The correct link to the test case is this: https://github.com/Keyfactor/ejbca-ce/blob/main/modules/systemtests/src-test/org/ejbca/core/protocol/cmp/CrmfRequestTest.java

The use case to store keys generated by CMP CA generated keys is not implemented. The use case for CMP CA generated keys has so far been to generate keys for devices that don't have good, or fast, enough onboard key generation. So for CA generated authentication keys, which are not recoverable.

Indeed the label usergenerated sounds confusing.

It is expected behavior at this time. It's considered a feature request for now.

I will create a developer ticket for this, but since we haven't had this use case before I can't say that it will be in a roadmap any time soon.

@primetomas
Copy link
Collaborator

For references (not publicly available yet, but in the future): https://jira.primekey.se/browse/ECA-11981

@primetomas
Copy link
Collaborator

For reference, I started this work in ECA-11981, some refactoring and clean-ups is needed to implement this nicely.
As a question, would you also use CMP for recovering keys stored by the CA? How do you see doing that recovery work-flow using CMP?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants