As a Developer I want to forbid uploading an internal TLS certificate that doesn't belong to the key to safeguard users against mistakes

Description

We should forbid users from importing an internal TLS certificate that does not match the key, as there seem to be no valid reasons for doing so, but it will cause issues.

 

Acceptance criteria:

  • The Security Server API checks when an internal TLS certificate is uploaded whether or not it belongs to the internal TLS key

    • If the certificate belongs to the key, the import is allowed

    • If the certificate doesn't belong to the key the import is halted and an error returned

  • The Security Server frontend shows the error in a human-readable form

  • The issue where re-uploading the same certificate doesn't show an error on the frontend is fixed

Implementation notes

None

Activity

Show:

jarkkohyoty May 31, 2021 at 10:51 AM
Edited

caro.hautamaki May 26, 2021 at 6:26 AM

A new bug ticket based on the findings:

caro.hautamaki May 25, 2021 at 12:44 PM

I tested importing a certificate chain. It should be fine as long as the chain is valid. If the chain is valid, the first certificate in the chain is imported as the internal cert and a new keystore is written based on the chain.

However importing an invalid certificate chain leads to faulty behavior. In this case, if the first certificate is valid and matches the current internal key, the certificate is saved as the new internal cert. But because the certificate chain is not valid, a new keystore is not written and the old keystore is retained. At this point an exception is thrown and the UI shows an error that importing the new TLS cert has failed but in reality the cert has been updated behind the scenes. This can be verified even in the UI by refreshing the page.

jarkkohyoty May 21, 2021 at 7:46 AM

Not directly related, but it would be good to check that uploading a certificate chain also work (it is just a pem file with the certs concatenated in the correct order):

  • internal tls cert

  • intermediate ca cert

  • (...potentially other intermediate certs)

caro.hautamaki May 19, 2021 at 1:05 PM

Done

Details

Assignee

Reporter

Target Version/s

Story Points

Components

Sprint

Fix versions

Priority

Created April 30, 2021 at 11:25 AM
Updated June 15, 2021 at 6:58 AM
Resolved June 15, 2021 at 6:58 AM