Bug 1404794

Summary: Audit Log Signature verification failures
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.3CC: arubin, bbhavsar, edewata, gkapoor, msauton, nkinder
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.1-1.el7 Doc Type: Bug Fix
Doc Text:
Signed audit log verification now works correctly Previously, due to improper logging system initialization and incorrect signature calculation by the verification tool, signed audit log verification could fail on the first log entry and after log rotation. With this update, the logging system and the verification tool have been fixed. As a result, signed audit log verification now works correctly in the mentioned scenarios.
 Story Points: ---
Clone Of:
: 1463347 (view as bug list) Environment:
Last Closed: 2018-04-10 16:56:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1463347    

Description Matthew Harmsen 2016-12-14 16:31:34 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2561

It was observed that when audit signing logs rotate, the first signature entry in the next log file (for the last entries of the previous rotated log file) would sometimes fail to verify.
To reproduce, set log.instance.SignedAudit.maxFileSize to a small number (e.g. 3)
and restart the server; Do a few issuance to cause some entries to be written and rotate; run AuditVerify to observe.
Comment 4 Endi Sukma Dewata 2017-06-13 03:55:18 UTC 
Steps to reproduce:

1. Install CA. By default log signing is disabled, so there are no signatures.
2. Run pki-server ca-audit-file-verify.
3. Set log.instance.SignedAudit.logSigning=true in /etc/pki/pki-tomcat/ca/CS.cfg.
4. Restart Tomcat. This will generate some signatures.
5. Run pki-server ca-audit-file-verify.
6. Set log.instance.SignedAudit.maxFileSize=5 in /etc/pki/pki-tomcat/ca/CS.cfg.
7. Restart Tomcat. This will trigger log rotation since the current log file size already exceeds the limit. It will also generate additional signatures.
8. Run pki-server ca-audit-file-verify.

Actual result:

* In step 2 the CLI reported 1 invalid signature due to unsigned log.
* In step 5 the CLI reported 1 invalid signature due to a bug in AuditVerify when validating the first signature.
* In step 8 the CLI reported 2 invalid signatures. The first one is the same as in step 5. The second one is invalid due to a bug on the server during log rotation.

Expected result:

* In step 2 the CLI should report no invalid signatures because there are no signatures.
* In step 5 the CLI should report no invalid signatures because the first signature should be ignored.
* In step 8 the CLI should report no invalid signatures because subsequent signatures should be valid regardless of log rotation.
Comment 5 Endi Sukma Dewata 2017-06-14 22:39:45 UTC 
Fixed in master:
* https://github.com/dogtagpki/pki/commit/ab2e24b3087368a2aadfcda77323a7d0aa70db80
* https://github.com/dogtagpki/pki/commit/fac7ebb8fd21f60a06241d6e132c8a4f5972a773
Comment 9 bhavik 2017-12-27 18:02:01 UTC 
Build verified with 10.5.1-5
[root@bkr-hv01-guest02 ~]# yum list pki-*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Installed Packages
pki-base.noarch                                                                                          10.5.1-5.el7                                                             @RHEL75     
pki-base-java.noarch                                                                                     10.5.1-5.el7                                                             @RHEL75     
pki-ca.noarch                                                                                            10.5.1-5.el7                                                             @RHEL75     
pki-console.noarch                                                                                       10.5.1-3.el7pki                                                          @RHCS93     
pki-kra.noarch                                                                                           10.5.1-5.el7                                                             @RHEL75     
pki-ocsp.noarch                                                                                          10.5.1-5.el7pki                                                          @RHCS93     
pki-server.noarch                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-symkey.x86_64                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-tks.noarch                                                                                           10.5.1-5.el7pki                                                          @RHCS93     
pki-tools.x86_64                                                                                         10.5.1-5.el7                                                             @RHEL75     
pki-tps.x86_64                                                                                           10.5.1-5.el7pki                                                          @RHCS93     


Steps followed as per https://bugzilla.redhat.com/show_bug.cgi?id=1404794#c4 mentioned by Endi

Before changing log.instance.SignedAudit.maxFileSize=5 in /etc/pki/topology-02-CA/ca/CS.cfg.

[root@bkr-hv01-guest02 ~]# pki-server ca-audit-file-verify -i topology-02-CA

Verification process complete.
Valid signatures: 155
Invalid signatures: 0

After changing log.instance.SignedAudit.maxFileSize=5 in /etc/pki/topology-02-CA/ca/CS.cfg.

Restarted tomcat instance

[root@bkr-hv01-guest02 ~]# pki-server ca-audit-file-verify -i topology-02-CA

Verification process complete.
Valid signatures: 163
Invalid signatures: 0

files created 
ca_audit                 ca_audit.20171227124631

New signatures where added due to new log file rotation.

Since no invalid signatures found marking this as verified.
Comment 15 errata-xmlrpc 2018-04-10 16:56:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925