Bug 1506819
| Summary: | Incorrect SubjectID for CMC_SIGNED_REQUEST_SIG_VERIFY | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | pki-core | Assignee: | Christina Fu <cfu> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | unspecified | ||
| Version: | 7.5 | CC: | cfu, gkapoor, mharmsen |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.1-1.el7 | Doc Type: | Bug Fix |
| Doc Text: |
Certificate System correctly logs the user name in CMC request audit events
Previously, when Certificate System received a Certificate Management over CMS (CMC) request, the server logged an audit event with the *SubjectID* field set to "$NonRoleUser$". As a result, administrators could not verify who issued the request. This update fixes the problem, and Certificate System now correctly logs the user name in the mentioned scenario.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 17:01:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Matthew Harmsen
2017-10-26 20:56:36 UTC
commit 328654627bfb6d65ae795b5435409c1724d20458 (HEAD -> master, origin/master, origin/HEAD) Author: Christina Fu cfu Date: Mon Oct 23 15:56:39 2017 -0700 Ticket #2819 Incorrect SubjectID for CMC_SIGNED_REQUEST_SIG_VERIFY This patch fixes https://pagure.io/dogtagpki/issue/2819 Before this patch, one would see something like the following (with generic SubjectID): [AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Success][ReqType=enrollment][CertSubject=CN=just me cfu,UID=cfu][SignerInfo=UID=TestAgent2,OU=example] agent pre-approved CMC request signature verification After this patch, one would see the SubjectID being filled in: [AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=UID=TestAgent2,OU=example][Outcome=Success][ReqType=enrollment][CertSubject=CN=just me cfu,UID=cfu][SignerInfo=UID=TestAgent2,OU=example] agent pre-approved CMC request signature verification Change-Id: I3385a771e0c43d5db7c51e806991039cf14c8b42 Test Environment: ================ non -HSM rpm -qa pki-* pki-core-debuginfo-10.4.1-17.el7_4.x86_64 pki-tools-10.5.1-1.el7.x86_64 pki-ocsp-10.5.1-1.el7pki.noarch pki-kra-10.5.1-1.el7.noarch pki-console-10.5.1-1.el7pki.noarch pki-tps-10.5.1-1.el7pki.x86_64 pki-javadoc-10.4.1-17.el7_4.noarch pki-base-java-10.5.1-1.el7.noarch pki-ca-10.5.1-1.el7.noarch pki-base-10.5.1-1.el7.noarch pki-symkey-10.5.1-1.el7.x86_64 pki-server-10.5.1-1.el7.noarch pki-tks-10.5.1-1.el7pki.noarch Test Result: =========== RootCA --> ExternalCA (nssdb) (dogtag-pki) ca/signedAudit/ca_audit:0.http-bio-8443-exec-1 - [28/Nov/2017:17:16:27 IST] [14] [6] [AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE][Outcome=Success][ReqType=enrollment][CertSubject=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE][SignerInfo=CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE] agent pre-approved CMC request signature verification One question: Now we see the correct value of SubjectID but still signerInfo has "$Unidentified$". Also the CertSubject is not picked correctly because certSubject is "[CertSubject=CN=Test11,UID=Testing,OU=test]" which is correctly picked by AuditEvent=PROFILE_CERT_REQUEST. 0.http-bio-20443-exec-2 - [24/Jan/2018:06:41:53 EST] [14] [6] [AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID=CN=PKI Administrator,E=example,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA][Outcome=Success][ReqType=enrollment][CertSubject=OU=test, , CN=Test11][SignerInfo=$Unidentified$] User signed CMC request signature verification success (In reply to Geetika Kapoor from comment #6) > One question: > > Now we see the correct value of SubjectID but still signerInfo has > "$Unidentified$". Also the CertSubject is not picked correctly because > certSubject is "[CertSubject=CN=Test11,UID=Testing,OU=test]" which is > correctly picked by AuditEvent=PROFILE_CERT_REQUEST. > > > 0.http-bio-20443-exec-2 - [24/Jan/2018:06:41:53 EST] [14] [6] > [AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID=CN=PKI > Administrator,E=example,OU=gkapoor_RHCS_75,O=Example-rhcs92- > CA][Outcome=Success][ReqType=enrollment][CertSubject=OU=test, , > CN=Test11][SignerInfo=$Unidentified$] User signed CMC request signature > verification success Changing gkapoor request for info from me to cfu as she resolved this bug. (In reply to Geetika Kapoor from comment #6) > One question: > > Now we see the correct value of SubjectID but still signerInfo has > "$Unidentified$". Also the CertSubject is not picked correctly because > certSubject is "[CertSubject=CN=Test11,UID=Testing,OU=test]" which is > correctly picked by AuditEvent=PROFILE_CERT_REQUEST. > > > 0.http-bio-20443-exec-2 - [24/Jan/2018:06:41:53 EST] [14] [6] > [AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID=CN=PKI > Administrator,E=example,OU=gkapoor_RHCS_75,O=Example-rhcs92- > CA][Outcome=Success][ReqType=enrollment][CertSubject=OU=test, , > CN=Test11][SignerInfo=$Unidentified$] User signed CMC request signature > verification success Could you provide the entire test case complete with configuration and steps to produce? In general, whether information will be displayed or not depends on stage of the process. If info is not there in the audit log, there is a chance that logically the server does not have the info. For example, if it's a Shared Token request, then in no way will the server know who is responsible for it until the shared token is checked. In terms of security, One should look at ALL audit events produced by one request. If the info is eventually gleaned and put in any of the audit entry, then it's considered good. (In reply to Christina Fu from comment #9) > (In reply to Geetika Kapoor from comment #6) > > One question: > > > > Now we see the correct value of SubjectID but still signerInfo has > > "$Unidentified$". Also the CertSubject is not picked correctly because > > certSubject is "[CertSubject=CN=Test11,UID=Testing,OU=test]" which is > > correctly picked by AuditEvent=PROFILE_CERT_REQUEST. > > > > > > 0.http-bio-20443-exec-2 - [24/Jan/2018:06:41:53 EST] [14] [6] > > [AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID=CN=PKI > > Administrator,E=example,OU=gkapoor_RHCS_75,O=Example-rhcs92- > > CA][Outcome=Success][ReqType=enrollment][CertSubject=OU=test, , > > CN=Test11][SignerInfo=$Unidentified$] User signed CMC request signature > > verification success > > Could you provide the entire test case complete with configuration and steps > to produce? > > In general, whether information will be displayed or not depends on stage of > the process. If info is not there in the audit log, there is a chance that > logically the server does not have the info. For example, if it's a Shared > Token request, then in no way will the server know who is responsible for it > until the shared token is checked. > In terms of security, One should look at ALL audit events produced by one > request. If the info is eventually gleaned and put in any of the audit > entry, then it's considered good. -- This behaviour I am seeing with an User CMC scenario like http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#User-signed_CMC_requests_Example_.28with_PopLinkWitnessV2.29 If you want we can look this offline and if needed raise a different bugzilla. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925 |