Update handling of large PEM data in 'New Intermediate Cert' button
Categories
(CA Program :: Common CA Database, task)
Tracking
(Not tracked)
People
(Reporter: kathleen.a.wilson, Assigned: poonam)
Details
Bugzilla Bug #1777341 contains 10 attachments of extremely large (~30,000 characters) certificate PEMs.
Let's try (in Sandbox first) increasing the PEM import, PEM field and PEM results field to 30k characters.
Assignee | ||
Comment 1•2 years ago
|
||
PEM field sizes on Account & Root Case has been increased to 30k (sandbox only). Few programs that intake the PEM and process it have also been updated to check the max size and the associated error messages. PEM intake is done when a new root cert and intermediate cert is added. PEM is also processed via Root Inclusion cases.
Reporter | ||
Comment 2•2 years ago
|
||
I imported the 10 extremely large intermediate certificates in Bugzilla Bug #1777341 into Sandbox. The "Extraction Results" field size was not impacted, so we do not need to increase the size of the "Extraction Results" field. The "X.509 Certificate (PEM)" field is the only field that needs to be updated to handle 30k characters.
PEM field sizes on Account & Root Case has been increased to 30k (sandbox only).
Please only make the change to Account. And do NOT make the change to Root Case.
This is only a problem for a very small number of intermediate certificates. Root Certificates will not ever be this large.
Few programs that intake the PEM and process it have also been updated to check the max size and the associated error messages. PEM intake is done when a new root cert and intermediate cert is added. PEM is also processed via Root Inclusion cases.
Please only make the change for the PEM import caused by the "New Intermediate Cert" button.
Do not make the change to Root Inclusion cases.
Reporter | ||
Comment 3•2 years ago
|
||
We have reverted the code changes for now. Will revisit this request again later.
Reporter | ||
Updated•2 years ago
|
Comment hidden (off-topic) |
Comment 5•2 years ago
|
||
Sorry, there was a problem with the detection of inactive users. I'm reverting the change.
Comment 6•2 years ago
|
||
Is there any way that this can be moved to Production just for Intermediate CA Certificates?
These 10 CA certificates are still listed here:
https://crt.sh/mozilla-disclosures
Thanks.
Reporter | ||
Updated•2 years ago
|
Assignee | ||
Comment 7•2 years ago
|
||
PEM field is common for Root as well as Intermediate certs records. If we change the field size, it impacts both record types.
We have about 8000 records in CA/Owner Certificate object and we have storage to grow. Also, in this case increasing the field length in CCADB will not cause negative impact on performance.
Reporter | ||
Comment 8•2 years ago
•
|
||
I have a different idea. This request is just so that we can handle a very small number of revoked certificates, so instead of increasing the size of the PEM field...
Please update the 'New Intermediate Cert' button on root and intermediate certificate pages as follows:
-
Remove "field length limit of 15,000 characters" check from the 'Validate PEM Info' button.
-
On the page resulting from the 'Validate PEM Info' button, display a warning when the PEM is longer than 15,000 characters that says:
"Warning: The PEM is longer than 15,000 characters so the original PEM will not be stored in the CCADB record, only the Extraction Results will be stored. Click on the 'Create Cert' button to proceed anyways." -
Have the 'Create Cert' button not update the 'X.509 Certificate (PEM)' field when the PEM is longer than 15,000 characters. But still copy the values from the 'Extraction Results' field into the corresponding fields in the 'Certificate Data' section.
Note: Bugzilla Bug #1777341 contains 10 attachments of extremely large (~30,000 characters) certificate PEMs that will be good for testing.
Assignee | ||
Comment 9•2 years ago
|
||
You could login as Admin and then click on 'CA Owner/Certificates' tab -> click on 'New' button to manually enter the data.
Reporter | ||
Comment 10•2 years ago
•
|
||
I added records for the intermediate certs with the following SHA256 Fingerprints.
-
F878B3DF213B0817BFF1E5EF4E8CD7C9B57C80FFC9F8A7309EA46AAF540BAE18
-
43DB658DD4E4020F8B5C6BD7107E15E233459A226CD0D77EF8F72B2B1CC29AFE
-
8E6930D78A139F3827146A5946EF9FE3A77399B2FD0CEBB0B2ED08EE18A1D758
-
4874758D6563E0433B1EDCEE7CCC5D9C2AAD8EBA12BCB0704454BB4EF8EAF799
-
D852DE5D098086DFE9A6F3D728D5261865587C489DE675753D272374A5D6E9FC
-
FF1DD21F1A5D0B452CD969CF4AA553835CABE0293C6C7B009F145AA202C02C8B
-
806A2AA77EDBD3C76D8FD066DFB5CC3310F359B0102CE92C0FAEC16AA43FFF0A
-
3BF1E41503C7F023D0D4CAFFBE8E51262C2C7310BC6D96E8CC8D143A600AEE80
-
0AB115DE9D126A3D4EA10DDF0863CC9D8956744EB7B4CCDAB7E57D6A06E58518
-
0F751035C18E1D392E9CC557C57E94A55D12FBB086F26A4529E2613625BFD13C
Reporter | ||
Comment 11•2 years ago
|
||
I decided to add these by hand, so that we would not need to increase the size of the PEM field just for these.
Updated•1 year ago
|
Updated•1 year ago
|
Description
•