mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
28a19311f4
This update turns on certificate revocation checking for uploaded certificates: - Updated `CertServiceImpl` to be able to enable revocation checking. - Introduced a new parameter `ENABLED_REVOCATION_CHECK` for `UploadSslCertCmd`. - Updated `CertServiceTest`. Even if no CLRs are specified via `PKIXParameters`, the certificates themselves may still provide info for revocation checking: - The AIA extension may contains a URL to the OCSP responder. - The CLRDP extension contains a URL to the CLR. Those extensions may need to be explicitly enabled by setting the system properties `com.sun.security.enableAIAcaIssuers` and `com.sun.security.enableCRLDP` to true. See [Java PKI Programmer's Guide](https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html). Using a revoked certificate may be dangerous. One of the most common reasons why a certificate authority (CA) revokes a certificate is that the private key has been compromised. For example, the private key might have been stolen by an adversary. If I understand correctly, the `CertServiceImpl` bean is used for operations with certificates on a load balancer. In particular, it validates a certificate chain without revocation checking while uploading a certificate. If a compromised revoked certificate is then used by the load balancer, then it may result to compromising TLS connections. However, the attacker has to be able to implement man-in-the-middle attack to compromise the connections. So the attacker has to be quite powerful. Therefore, such an attack is definitely not easy to implement. On the other hand, the impact may be significant because of loss of confidentiality. This has been discussed on security@cloudstack.apache.org