Closed Bug 1778536 Opened 2 years ago Closed 2 years ago

Update handling of large PEM data in 'New Intermediate Cert' button

Categories

(CA Program :: Common CA Database, task)

Product:
CA Program
Component:
Common CA Database
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: kathleen.a.wilson, Assigned: poonam)

Details

Bugzilla Bug #1777341 contains 10 attachments of extremely large (~30,000 characters) certificate PEMs.

Let's try (in Sandbox first) increasing the PEM import, PEM field and PEM results field to 30k characters.

PEM field sizes on Account & Root Case has been increased to 30k (sandbox only). Few programs that intake the PEM and process it have also been updated to check the max size and the associated error messages. PEM intake is done when a new root cert and intermediate cert is added. PEM is also processed via Root Inclusion cases.

I imported the 10 extremely large intermediate certificates in Bugzilla Bug #1777341 into Sandbox. The "Extraction Results" field size was not impacted, so we do not need to increase the size of the "Extraction Results" field. The "X.509 Certificate (PEM)" field is the only field that needs to be updated to handle 30k characters.

PEM field sizes on Account & Root Case has been increased to 30k (sandbox only).

Please only make the change to Account. And do NOT make the change to Root Case.
This is only a problem for a very small number of intermediate certificates. Root Certificates will not ever be this large.

Few programs that intake the PEM and process it have also been updated to check the max size and the associated error messages. PEM intake is done when a new root cert and intermediate cert is added. PEM is also processed via Root Inclusion cases.

Please only make the change for the PEM import caused by the "New Intermediate Cert" button.
Do not make the change to Root Inclusion cases.

We have reverted the code changes for now. Will revisit this request again later.

Summary: Increase PEM field size to 30k characters → Increase PEM field size to 30k characters - for intermediate certificates only

Sorry, there was a problem with the detection of inactive users. I'm reverting the change.

Assignee: nobody → poonam
Flags: needinfo?(kwilson)

Is there any way that this can be moved to Production just for Intermediate CA Certificates?
These 10 CA certificates are still listed here:
https://crt.sh/mozilla-disclosures
Thanks.

Severity: -- → S2

PEM field is common for Root as well as Intermediate certs records. If we change the field size, it impacts both record types.

We have about 8000 records in CA/Owner Certificate object and we have storage to grow. Also, in this case increasing the field length in CCADB will not cause negative impact on performance.

I have a different idea. This request is just so that we can handle a very small number of revoked certificates, so instead of increasing the size of the PEM field...

Please update the 'New Intermediate Cert' button on root and intermediate certificate pages as follows:

  1. Remove "field length limit of 15,000 characters" check from the 'Validate PEM Info' button.

  2. On the page resulting from the 'Validate PEM Info' button, display a warning when the PEM is longer than 15,000 characters that says:
    "Warning: The PEM is longer than 15,000 characters so the original PEM will not be stored in the CCADB record, only the Extraction Results will be stored. Click on the 'Create Cert' button to proceed anyways."

  3. Have the 'Create Cert' button not update the 'X.509 Certificate (PEM)' field when the PEM is longer than 15,000 characters. But still copy the values from the 'Extraction Results' field into the corresponding fields in the 'Certificate Data' section.

Note: Bugzilla Bug #1777341 contains 10 attachments of extremely large (~30,000 characters) certificate PEMs that will be good for testing.

Summary: Increase PEM field size to 30k characters - for intermediate certificates only → Update handling of large PEM data in 'New Intermediate Cert' button

You could login as Admin and then click on 'CA Owner/Certificates' tab -> click on 'New' button to manually enter the data.

I added records for the intermediate certs with the following SHA256 Fingerprints.

  1. F878B3DF213B0817BFF1E5EF4E8CD7C9B57C80FFC9F8A7309EA46AAF540BAE18

  2. 43DB658DD4E4020F8B5C6BD7107E15E233459A226CD0D77EF8F72B2B1CC29AFE

  3. 8E6930D78A139F3827146A5946EF9FE3A77399B2FD0CEBB0B2ED08EE18A1D758

  4. 4874758D6563E0433B1EDCEE7CCC5D9C2AAD8EBA12BCB0704454BB4EF8EAF799

  5. D852DE5D098086DFE9A6F3D728D5261865587C489DE675753D272374A5D6E9FC

  6. FF1DD21F1A5D0B452CD969CF4AA553835CABE0293C6C7B009F145AA202C02C8B

  7. 806A2AA77EDBD3C76D8FD066DFB5CC3310F359B0102CE92C0FAEC16AA43FFF0A

  8. 3BF1E41503C7F023D0D4CAFFBE8E51262C2C7310BC6D96E8CC8D143A600AEE80

  9. 0AB115DE9D126A3D4EA10DDF0863CC9D8956744EB7B4CCDAB7E57D6A06E58518

  10. 0F751035C18E1D392E9CC557C57E94A55D12FBB086F26A4529E2613625BFD13C

I decided to add these by hand, so that we would not need to increase the size of the PEM field just for these.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Product: NSS → CA Program
Severity: S2 → --
Priority: P1 → --
Whiteboard: [ccadb-enhancement]
You need to log in before you can comment on or make changes to this bug.