TrustPoint-Project / trustpoint

The open source trust anchor software for machines and factories to manage digital identities
https://trustpoint.campus-schwarzwald.de/en/
MIT License
6 stars 0 forks source link

[BUG] RelatedObjectDoesNotExist when trying to revoke a certficate / delete a device whose CA is deleted #118

Open Aircoookie opened 1 month ago

Aircoookie commented 1 month ago

Please give a concise description of the bug Device LDevID certificates are in a partly invalid state after deleting the associated issuing CA. This means LDevID revocation and device deletion (as this internally revokes) will fail.

What are the steps to reproduce the issue?

Second way:

What behavior did you expect?

This is subject to discussion. Regarding domains, I would either:

Options regarding CA:

Which version does the issue occur in? main

Optional notes and context We do have a similar problem if the CA expires, though this would definitely warrant skipping mandatory EE revocation as the certificate is no longer valid anyway once the CA cert is no longer valid.

Aircoookie commented 1 month ago

I addressed this to some degree in the auto-gen-pki branch now, as in that attempting to revoke a certificate without an associated CA will cause an error log entry and message instead of an unhandled exception. It sets the device onboarding state to 'Failed', this behavior is open for discussion.

This approach should ideally still be enhanced by further safeguards e.g. as outlined above.