Bug 1466486
| Summary: | CMC plugin default change | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Christina Fu <cfu> | |
| Component: | pki-core | Assignee: | Christina Fu <cfu> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
| Priority: | urgent | |||
| Version: | 7.4 | CC: | arubin, cfu, gkapoor, jmagne, mharmsen, msauton, salmy | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: |
undefined
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1469432 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-10 17:00:07 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1469432 | |||
|
Comment 5
Christina Fu
2017-07-07 20:36:41 UTC
Earlier we test it using: https://bugzilla.redhat.com/show_bug.cgi?id=1466486#c3 I think this is no more valid because we don't have fixed passphrase . Please suggest if I need to look into something else in this bugzilla. A quick test is : 1. Enable identityproofv2. 2. set witness.sharedsecret=testing This is the old one which doesn't resembles to the original passphrase value set during CMCSharedToken cli. 3. Run CMCRequest and the httpclient. 4. Check the debug logs: [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SharedSecret.getSharedToken(String identification): got entryShrTok [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SharedSecret.decryptShrTokData: wrapped session key retrieved [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SharedSecret.decryptShrTokData: wrapped passphrase retrieved [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SharedSecret.getSharedToken(String identification): returning [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: returnConn: mNumConns now 5 [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile:verifyDigest: in verifyDigest: hashAlg=SHA-512 Message Digest from Mozilla-JSS, <initialized> ; macAlg=SHA-512 Message Digest from Mozilla-JSS, <initialized> [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile:verifyDigest: The content of two HMAC digest are not the same. [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile:verifyIdentityProofV2: IdentityProofV2 failed to verify [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile:verifyIdentityProofV2: Failed with Exception: IdentityProofV2 failed to verify [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SignedAuditLogger: event CMC_PROOF_OF_IDENTIFICATION [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile: parseCMC: after verifyIdentityProofV2 [31/Jan/2018:13:49:26][http-bio-20443-exec-16]: ProfileSubmitCMCServlet: after createRequests - Proof-of-Identification Verification Failed after verifyIdentityProofV2 5. Result : During Identity proof verification it failed. 6. For a correct value of witness, output looks like: [31/Jan/2018:13:50:45][http-bio-20443-exec-22]: EnrollProfile:verifyIdentityProofV2: identity verified. Updating auditSubjectID [31/Jan/2018:13:50:45][http-bio-20443-exec-22]: EnrollProfile:verifyIdentityProofV2: updated auditSubjectID is:user2@#$% [31/Jan/2018:13:50:45][http-bio-20443-exec-22]: SignedAuditLogger: event CMC_PROOF_OF_IDENTIFICATION [31/Jan/2018:13:50:45][http-bio-20443-exec-22]: EnrollProfile: parseCMC: passed verifyIdentityProofV2; Proof of Identity successful; [31/Jan/2018:13:50:45][http-bio-20443-exec-22]: EnrollProfile: parseCMC: found numOfOtherMsgs: 0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925 |