Skip to content

Make PKIMessage.PKIHeader.senderKID optional for PBE/PBMAC1 #871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
primetomas merged 1 commit into from
May 12, 2025
Merged

Make PKIMessage.PKIHeader.senderKID optional for PBE/PBMAC1 #871

primetomas merged 1 commit into from
May 12, 2025

Conversation

@mt-johan
Copy link
Contributor

@mt-johan mt-johan commented May 1, 2025

…since it is not used to "uniquely identify a key" as stated in RFC 4210 5.1.1. Contributed under SPDX "LGPL-2.1-or-later".

Describe your changes

RFC 4210 5.1.1 describes the purpose of CMP's PKIMessage.PKIHeader.senderKID.

For PBE/PBMAC1, EJBCA CE only uses this as a courtesy in CmpMessageHelper.protectPKIMessageWithPBMAC1(...) to help a client distinguish between protection keys when present in the request.

   These fields MUST be used if required to uniquely identify a key
   (e.g., if more than one key is associated with a given sender name)
   and SHOULD be omitted otherwise.

How has this been tested?

Shared secret bootstrap use-case where CMP clients gets a cert and trust anchor in IP.

CMP config:

  • RA mode
  • HMAC authentication module with "Specify secret"
  • Random username generation with prefix
  • Response protection set to pbe
  • Response Additional CA certificates with 1 CA cert.
  • No renewal
  • No server gen keys

Sending IR protected with PBMAC1 (hmacWithSHA256 due to a bug in BC.)

  • Not setting PKIMessage.PKIHeader.senderKID results in a signed PKIMessage (IP).
  • Setting PKIMessage.PKIHeader.senderKID to an empty KeyIdentifier (OCTET STRING) returns a PBMAC1 protected PKIMessage (IP).

Checklist before requesting a review

  • I have performed a self-review of my code
  • I have kept the patch limited to only change the parts related to the patch
  • This change requires a documentation update

See also Contributing Guidelines.

@mt-johan
Make PKIMessage.PKIHeader.senderKID optional for PBE/PBMAC1 since it …
395e6ca 
…is not used to "uniquely identify a key" as stated in RFC 4210 5.1.1. Contributed under SPDX "LGPL-2.1-or-later".
@primetomas primetomas merged commit 9923c72 into Keyfactor:main May 12, 2025
@mt-johan mt-johan deleted the feature/no-senderkid-req-for-pbmac1 branch May 12, 2025 15:21
@primetomas
Copy link
Collaborator

primetomas commented May 12, 2025

Damn it. I found missing things in this PR. There are some other places where the same thing happens, for other types of messages.
CmpConfirmResponseMessage and CmpErrorResponseMessage

funnily CmpRevokeResponseMessage does already ignore the KeyID. That's how I found it, I started updating a system test (I forgot to mention that tests were missing :-)), and I could not repeat this with a revocation message.

@primetomas
Copy link
Collaborator

primetomas commented May 12, 2025

Can you create a new PR fixing the missing entries.

@mt-johan mt-johan mentioned this pull request May 12, 2025
Merged
3 tasks
@mt-johan
Copy link
Contributor Author

mt-johan commented May 12, 2025

#878 created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mt-johan @primetomas