Bug 1469447

Summary: CC: CMC: check HTTPS client authentication cert against CMC signer
Product: Red Hat Enterprise Linux 7 Reporter: Jaroslav Reznik <jreznik>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Petr Bokoc <pbokoc>
Priority: urgent    
Version: 7.4CC: arubin, cfu, gkapoor, lmiksik, mharmsen, msauton, pbokoc
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.4.1-12.el7_4 Doc Type: Enhancement
Doc Text:
This enhancement adds an SSL client authentication certificate check against the CMC signer for CMC requests.
 Story Points: ---
Clone Of: 1460764
: 1518175 (view as bug list) Environment:
Last Closed: 2017-09-05 11:25:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1460764    
Bug Blocks:    
Attachments:
Description Flags
Test_combinations none

Description Jaroslav Reznik 2017-07-11 09:44:11 UTC 
This bug has been copied from bug #1460764 and has been proposed to be backported to 7.4 z-stream (EUS).
Comment 3 Geetika Kapoor 2017-08-23 11:03:12 UTC 
Test build:
------------
rpm -qa pki-ca
pki-ca-10.4.1-12.el7_4.noarch

Test Case 1: Testing done for HttpClient enabled with client mode and secure port.
Test case 2: Testing for above test case 1 with self signed is done.
Test case 3: Testing for above test case 1 with user signed is done.
Test case 4: Testing is done for different combinations and attached in Excel(Test_combinations)

Test Steps:
==========

1. Follow steps mentioned in https://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#User-Signed_CMC_Renewal_Request. 
2. Run PKCS10Client -d . -p SECret.123 -n "cn=Test74z4,uid=letstest"  -o user-signed/pkcs10.req

Make sure it is successful and output should look like:

Keypair private key id: 4ee9aee7bfffc155c798475e57d6c86653e21ef4

-----BEGIN CERTIFICATE REQUEST-----
MIICcjCCAVoCAQAwLTEYMBYGCgmSJomT8ixkAQEMCGxldHN0ZXN0MREwDwYDVQQDDAhUZXN0NzR6NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXYpuzOXCvC5kL4VQG0TGyhlS8jo2B1pEs7tvcscdNuB3N/ESmMN2ORot/fhki/UXH+R4iFa95OToqGbAG2aoLSRcTNWcmp20fxCoQctEQzQrgCyQi5P/MGFkqGL2Q++N2j46xw41S1SdWLaH4SRgtVAP4jFW2l76pru5hMXIe4I3tVqNj4qn08inbnugbDVPdIA2wD0f9Ru8qJ6v6WyRJCD5wANtFD4aQNEkkUkjsfkpS0Auy2Mke3leOtX+Nm8jhAR1rXcre7lR4wg2uYScX/ITzbKIqLVk1/k6pIEtVhMElSOEoHYNpor9w2eJ3XKxABTIPTBD6LJ1vNLh5ZcAcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAoDUTv/pXKaaR8JR5JTkmPPSGaB0bQA827gbRUEbAi2Y7Z4/ci1k3TroDM1AOET0yM2dXCahNzRJMIUBO3vKiTQbgnCFd1T2xhWAbPtqz9z9Q4mApyq8QwH01KmPjWPJCIKanSgofdsbSsLrcY/UBNuRK3hCzB9c2KR4VF85SZ+Xq27FTlafT85b/rfPhRKfeFqgRt5s9i3uWH3EreNAv2pItoPk4U6/OX0uhm84oh8cUhSqsT5yMWtwUYvNEbQSvqLBL/zWN9mMozRBgfTaIh8hT7y7NGkecFquxVR/knMXLLWA0Et4gdq7o6t5CA8LrOusklCwks71QrOrVvl5gz
-----END CERTIFICATE REQUEST-----

3. Replace private key generated above into the cmc file.
4. Run the cmc file using CMCRequest.
5. Run HttpClient.
6. Check using CMCresponse a correct response is getting generated.
7. Goto CA Agent page and see that a certificate is getting generated.
8. Make sure that the newly signed certificate which gets created have:

AKI of newly signed certificate (c1) == user signing certificate AKI (c2) == SKI of  CA cert used to sign c2
Comment 4 Geetika Kapoor 2017-08-23 11:04:06 UTC 
Created attachment 1317058 [details]
Test_combinations
Comment 6 errata-xmlrpc 2017-09-05 11:25:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2575