Bug 1460764
| Summary: | CC: CMC: check HTTPS client authentication cert against CMC signer | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Christina Fu <cfu> | |
| Component: | pki-core | Assignee: | Christina Fu <cfu> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
| Priority: | urgent | |||
| Version: | 7.4 | CC: | cfu, gkapoor, lmiksik, mharmsen, msauton, pbokoc | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.4.1-10.el7 | Doc Type: | No Doc Update | |
| Doc Text: |
https://bugzilla.redhat.com/show_bug.cgi?id=1518180#c7
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1469447 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-10 16:58:29 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1469447 | |||
|
Description
Christina Fu
2017-06-12 16:22:04 UTC
pushed to dogtag master commit 63c9582009b3858a6878863b9658d04c9aad45c1 Author: Christina Fu <cfu> Date: Wed Jun 14 14:57:10 2017 -0700 Libor, Since we will be building snapshot-5 to address https://bugzilla.redhat.com/show_bug.cgi?id=1461533, we would appreciate if you would also provide a blocker flag for this bug since it blocks QE from testing CMC. -- Matt commit 32cf3850935590f7f4cd457b824cc296b6af44b9
Author: Christina Fu <cfu>
Date: Wed Jun 14 14:57:10 2017 -0700
Ticket#2737 CMC: check HTTPS client authentication cert against CMC signer
This patch adds enforcement in CMCUserSignedAuth to make sure SSL client aut
Some auditing adjustments are also done.
(cherry picked from commit 63c9582009b3858a6878863b9658d04c9aad45c1)
Test bits: ========== rpm -qa nss* pki-* jss* nss-softokn-devel-3.34.0-2.el7.x86_64 nss-softokn-3.34.0-2.el7.x86_64 pki-tools-10.5.1-6.el7.x86_64 pki-ocsp-10.5.1-6.el7pki.noarch pki-javadoc-10.5.1-5.1.el7.noarch nss-3.34.0-4.el7.x86_64 nss-pem-1.0.3-4.el7.x86_64 nss-sysinit-3.34.0-4.el7.x86_64 nss-util-devel-3.34.0-2.el7.x86_64 nss-softokn-freebl-devel-3.34.0-2.el7.x86_64 nss-devel-3.34.0-4.el7.x86_64 pki-base-10.5.1-6.el7.noarch pki-symkey-10.5.1-6.el7.x86_64 pki-server-10.5.1-6.el7.noarch pki-kra-10.5.1-6.el7.noarch pki-tks-10.5.1-6.el7pki.noarch pki-console-10.4.1-7.el7pki.noarch pki-core-debuginfo-10.5.1-5.1.el7pki.x86_64 nss-softokn-freebl-3.34.0-2.el7.x86_64 nss-util-3.34.0-2.el7.x86_64 jss-4.4.0-11.el7.x86_64 pki-base-java-10.5.1-6.el7.noarch pki-ca-10.5.1-6.el7.noarch pki-tps-10.5.1-6.el7pki.x86_64 nss-tools-3.34.0-4.el7.x86_64 Test Cases: ========== 1.With no password mentioned in httpclient config. HttpClient user-signed/HttpClient-cmc-crmf.self.cfg Missing nickname for the client certificate 2. When nickname in cmcrequest file doesn't match with httpclient nickname. [31/Jan/2018:23:44:59][http-bio-20443-exec-3]: CMCUserSignedAuth: verifySignerInfo: SSL client authentication certificate and CMC signer do not match [31/Jan/2018:23:44:59][http-bio-20443-exec-3]: CMCUserSignedAuth: authenticate: Invalid Credential.:SSL client authentication certificate and CMC signer do not match With above mentioned test cases , This bugzilla is tested and marking as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925 |