Bug 1532748

Summary:	Unauthorized and Invalid number format Exception during revoked certs usage
Product:	Red Hat Enterprise Linux 8	Reporter:	Geetika Kapoor <gkapoor>
Component:	pki-core	Assignee:	RHCS Maintainers <rhcs-maint>
Status:	CLOSED UPSTREAM	QA Contact:	Asha Akkiangady <aakkiang>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.3	CC:	ascheel, mharmsen
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-03-13 20:50:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Geetika Kapoor 2018-01-09 17:37:12 UTC

Description of problem:

When tried to use a revoked certificates observed below behavior.


Issue 1: system, debug and Audit logs are not in sync.
Issue 2 : face Invalid number format .
Issue 3: Since certificate is revoked, Why it is hitting unauthorized.Unauthorized should not come once we revoke certs.It should come once we change the permissions like removing from group.

Version-Release number of selected component (if applicable):

10.5

How reproducible:

always
Steps to Reproduce:

Step1 :

# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" client-cert-request "cn=testing,uid=testusercert" --profile caUserCert
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 80000012
  Type: enrollment
  Request Status: pending
  Operation Result: success

# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" cert-request-review 80000012  --action approve
-------------------------------------
Approved certificate request 80000012
-------------------------------------
  Request ID: 80000012
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x8226cb48
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-add test1 --fullName test1
------------------
Added user "test1"
------------------
  User ID: test1
  Full name: test1
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-cert-add test1 --serial 0x8226cb48
--------------------------------------------------------------------------------------------------------------------------------
Added certificate "2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing"
--------------------------------------------------------------------------------------------------------------------------------
  Cert ID: 2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing
  Version: 2
  Serial Number: 0x8226cb48
  Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
  Subject: UID=testusercert,CN=testing
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Certificate Manager Agents" test1
--------------------------
Added group member "test1"
--------------------------
  User: test1
[root@csqa4-guest04 75]# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Administrators" test1
--------------------------
Added group member "test1"
--------------------------
  User: test1

Testing
=====
# pki -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika --fullName geetika
--------------------
Added user "geetika"
--------------------
  User ID: geetika
  Full name: geetika


Step 2: Revoke this certificate.
Step3: Make sure it is part of your CA's CRL.

CRL:

Certificate revocation list contents

    Certificate Revocation List: 
        Data: 
            Signature Algorithm: SHA512withRSA
            Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
            This Update: Wednesday, January 10, 2018 7:04:47 AM EST America/New_York
            Next Update: Wednesday, January 10, 2018 9:00:00 AM EST America/New_York
            Revoked Certificates: 1-2 of 2
                Serial Number: 0x8226CB48
                Revocation Date: Monday, January 8, 2018 6:01:08 AM EST America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: Certificate_Hold
                    Identifier: Invalidity Date - 2.5.29.24
                        Critical: no 
                        Invalidity Date: Sat Jan 06 13:30:00 EST 2018
                Serial Number: 0x1D5144C
                Revocation Date: Monday, January 8, 2018 5:17:32 AM EST America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: CA_Compromise




Step4: Now again try to use same testing procedure.

# pki -v -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika11 --fullName geetika

com.netscape.certsrv.base.PKIException: Unauthorized
    at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
    at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
    at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
    at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46)
    at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47)
    at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46)
    at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64)
    at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
    at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
    at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)


Debug logs:
=======
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: PKIRealm: Authenticating certificate chain:
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: PKIRealm.getAuditUserfromCert: certUID=UID=testusercert, CN=testing
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: PKIRealm:   UID=testusercert, CN=testing
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: CertUserDBAuth: started
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: CertUserDBAuth: Retrieving client certificate
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: CertUserDBAuth: Got client certificate
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: SignedAuditLogger: event AUTH
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED

Audit logs:
======

0.http-bio-28443-exec-4 - [08/Jan/2018:06:04:09 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=testusercert,CN=testing][Outcome=Success] access session establish success
0.http-bio-28443-exec-4 - [08/Jan/2018:06:04:09 EST] [14] [6] [AuditEvent=AUTH][SubjectID=UID=testusercert, CN=testing][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=UID=testusercert, CN=testing] authentication failure
0.http-bio-28443-exec-4 - [08/Jan/2018:06:04:09 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=testusercert,CN=testing][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

System logs:
========

0.http-bio-28443-exec-6 - [08/Jan/2018:06:01:34 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-24 - [08/Jan/2018:06:01:44 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-13 - [08/Jan/2018:06:02:06 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-20 - [08/Jan/2018:06:03:02 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-4 - [08/Jan/2018:06:04:09 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-21 - [08/Jan/2018:06:05:43 EST] [3] [3] Servlet caCheckRequest: Invalid number format: 0x8226CB48
0.http-bio-28443-exec-2 - [10/Jan/2018:00:02:10 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-17 - [10/Jan/2018:07:03:48 EST] [11] [3] UGSubsystem: Add User To Group netscape.ldap.LDAPException: error result (20)
0.http-bio-28443-exec-14 - [10/Jan/2018:07:04:05 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.


Certificate status from cli:
=================

pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-cert-show 0x08226cb48
------------------------
Certificate "0x8226cb48"
------------------------
  Serial Number: 0x8226cb48
  Subject DN: UID=testusercert,CN=testing
  Issuer DN: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
  Status: REVOKED
  Not Valid Before: Mon Jan 08 05:49:21 EST 2018
  Not Valid After: Sat Jul 07 05:49:21 EDT 2018
  Revoked On: Mon Jan 08 06:01:08 EST 2018
  Revoked By: caadmin


Actual results:

Why the system, debug and Audit logs are not in sync.
 we face Invalid number format .

Expected results:

It should work
Additional info:


devel comments:

<edewata> gkapoor, probably it fails at this code: new BigInteger(requestId);
<edewata> gkapoor, it fails since the requestId is a hex string instead of decimal
<edewata> gkapoor, here's the code: https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java#L281
<edewata> gkapoor, the problem happens because the code is trying to parse a request ID with value 0x8226CB4 as a bigint which expects a decimal value. I'm not sure why it's doing that, that will need further investigation

Comment 2 Matthew Harmsen 2018-01-18 19:50:25 UTC

Per PKI Team Meeting of 20180118 moving to RHEL 7.6.

Comment 3 Matthew Harmsen 2018-07-04 00:33:06 UTC

Moved to RHEL 7.7.