Bug 1572432

Summary: AuditVerify failure due to line breaks
Product: Red Hat Enterprise Linux 7 Reporter: Asha Akkiangady <aakkiang>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: cfu, mharmsen, msauton, rpattath
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-2.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of:
: 1595606 (view as bug list) Environment:
Last Closed: 2018-10-30 11:07:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1595606    

Description Asha Akkiangady 2018-04-27 01:45:28 UTC 
Description of problem:
AuditVerify failed due to an audit log entry right before the failed one containing a line breaks and confused the AuditVerify tool.

Version-Release number of selected component (if applicable):
pki-ca-10.5.1-11.el7.noarch
pki-tools-10.5.1-11.el7.x86_64

How reproducible:


Steps to Reproduce:
Retrieve the audit log file as an auditor user and verify signed audit logs as described in http://www.dogtagpki.org/wiki/Verifying_Signed_Audit_Logs
1. audit file has these entries where failure occured:
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature of audit buffer just flushed: sig: wZgV7M+H3xHhOAJvhTpUMKzxVMlfwwHqQyf/SCTyvcUUOyLZWlhzI9idtYqK4g5LC5qDFtjbB4MM2QWpW2rt3pA/TW+qhSay1oe1VisLpVVZOLKNFQBudH5MExu+iG/zdxOyaWvcISr79x82Zeo/MhjjX4gffVcSlCmoKu6qThT3svcMEMV+O4ls5cYgWsPQEivGW/KsB9bGepdwEJgEKLLiyBYk2kpatrMCike4p8cSG6sYYMHIQwF1q/PV0bJ0SmkqXDHKk7NdOBNG2tSiPPqBrdx7rCcZIHbIc830yA/yR1qqUIsKEW22Ey3T7SuMhOBYPAwH+f8FahLrMAQ7wg==
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.addUserCert] authorization success
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Failure][ParamNameValPairs=Scope;;certs+Operation;;OP_ADD+Resource;;CAadminV+cert;;-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIEDYETuDANBgkqhkiG9w0BAQ0FADBdMRYwFAYDVQQKEw1F^M
eGFtcGxlLVN1YkNBMSIwIAYDVQQLExlyaGNzOTMtVE1TLVN1YkNBLWFha2tpYW5n^M
MR8wHQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4MDQxMTE4NDY0^M
MVoXDTE4MTAwODE4NDY0MVowLjEYMBYGCgmSJomT8ixkAQEMCENBYWRtaW5WMRIw^M
EAYDVQQDDAlDQSBhZG1pblYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB^M
AQDBBeFrOvzADtc3uQc9m8/QchamqaaUYZdsTIBt9ODz2JpccV1CaWpWZ5tpPPnu^M
o0bp17g4yTGAPNXTa75IiIU2EEWk98ZLLMJmPLdLuxJZbBIZaLADXLiW17FOC1ab^M
+XPynJujU85d/3O6PgWpLaD335zmBpEBWS8Ldcwl/gu9ls9i8q5URMWYvNT8SzI3^M
Axu4YUdDP8433sGNO9vFlMx+tUW1g1ID3hRZsJjPkCCImVBZMorqRtXM1eYl1caX^M
p60mmKj7DXGh6KE4Fnd4rYPGZs/fBEWtoWqI34M2KLfLx2Srw8QMn1gjT3lhygTH^M
TG1VkffMY5mbxZuUv1RHc9lhAgMBAAGjgaYwgaMwHwYDVR0jBBgwFoAUK4Bfo2u6^M
SW0p6q58dlNCXxOVw30wUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUFBzABhjVodHRw^M
Oi8vY3NxYTEuaWRtLmxhYi5lbmcucmR1LnJlZGhhdC5jb206MzEwODAvY2Evb2Nz^M
cDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME^M
MA0GCSqGSIb3DQEBDQUAA4IBAQANqT1giWsXRgZTikEAhoNuDtI/3JJol8EIT515^M
BX7T0F9h7MhV3un4InXjLH3dz/DYporkSNnFc/vj/jIn1s6+5M5qS5kb9Dtm1hcz^M
Y2TdMdeXk5zR/Vjlz7FCpMs75Zepozmlyo6vjs4zZb0bu1ESB5++iRBpa8Vin3yv^M
hTHokz2fWzeFcTyzO/CrBzUE/FEZ+1qMXHQzhEp8LAKluOEDVJIhI4q0s8k/HgB6^M
cFElkiG2SBzHf0Tdt3vjMd1NzV/OMPYhS0867AKJa7jfwS8nStD5toNxiAdLyL+V^M
o1JlodHf7L69WzFnPtYzcS1Ej5cv77xNJ43z94lCqcNvximv^M
-----END CERTIFICATE-----] role configuration parameter(s) change
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature of audit buffer just flushed: sig: EnvUJBvTSjCLnnXPHy8ImYHU8dRWiXH8pi+GUIu5Xp2XQ5BTuV2rIysNGUSfZwBKCJKa/hvhGvYh+toyk1ZU1pJHzOFsJZ0Vjxsm9fGH+5sUWMLLbCT/kJTmko2MxDQxY0o/dBt7PSACoArNFZvEZa8711up6Ds55V7dMxDgI27vR02hldW6FjQAMK9roi0xrJDh3DgfpaO33L7My+BxrIcH2TSLKHdCfoIveDLMJx2VY7grhkP/qD40etMk50oVKM0dgYFWcBd9EytDWigGaa/HgED2pxpUaZUtZaHmDzc7ouZwBJa9PeZ5XbZxSnRr1gvU6HQichgMEy5hpctiNA==
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.1][ServerIP=10.12.28.1][SubjectID=CN=PKI Administrator,E=example,OU=rhcs93-TMS-SubCA-aakkiang,O=Example-SubCA][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
0./var/lib/pki/rhcs93-TMS-SubCA-aakkiang/logs/ca/signedAudit/ca_audit.flush-4 - [11/Apr/2018:14:51:00 EDT] [14] [6] [AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature of audit buffer just flushed: sig: dG5jAYj9TVNWhzFn2squJ0MC5o/9az62IG2ZycYAZXogB3jNm3oY94VxyV1PkbMwp9IcQ7qD/nQ/92aoGqLllOqWK+uQutKF+qgO1V9no/P2dQMMa4229GgYZ+b40WCSrtKfzaOWRW5vp3G4BXaEUecW79LD7jiwqmpRbm3i1ih7cumTY/8DuE5aWQKuHM6SKCyhL9/m2iUnEB4JG64uMwR8rlI4IWPlpwzgyYl+naSmJWCSBn5FUIH3Rm3A28tMaiUi/X5U+Yqz6zNAgdmVos5XNtXqAJazgtTtFSzqkpqauISMDKxV3ym+YRSCEPQl613rsKPGh+ryMoP1nzMT1w==


2. $ AuditVerify -d . -n "CA Audit Signing Certificate" -a audit.txt 
Enter password for NSS FIPS 140-2 User Private Key

======
File: ca_audit
======
Line 1964: VERIFICATION FAILED: signature of ca_audit:1940 to ca_audit:1963
Line 1997: VERIFICATION FAILED: signature of ca_audit:1973 to ca_audit:1996
Line 2044: VERIFICATION FAILED: signature of ca_audit:2020 to ca_audit:2043
Line 2793: VERIFICATION FAILED: signature of ca_audit:2769 to ca_audit:2792

Verification process complete.
Valid signatures: 817
Invalid signatures: 4


Actual results:
AuditVerify tool got confused due to the line breaks and failed.

Expected results:
AuditVerify should be successful.

Additional info:
Comment 2 Asha Akkiangady 2018-04-27 01:52:35 UTC 
Audit log entry right before the failed one is AuditEvent=CONFIG_ROLE, which contains a b64 cert that's got line breaks and confused the AuditVerify tool.
Comment 3 Matthew Harmsen 2018-04-27 02:22:21 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage:  7.5.z

cfu: required for CC
Comment 6 Christina Fu 2018-06-25 18:22:15 UTC 
Notes:
Investigation shows that issue reported was caused by running the following cli:
 pki -d /root/.dogtag/rhqa_pki/certs_db  -n "PKI CA Administrator for Non-TMS-CA" -c <password> -h `hostname` -p 8080 ca-user-cert-add CAadminV --input  /root/.dogtag/rhqa_pki/certs_db/CAadminV.pem

For comparison, I performed the same operation through the java console and did not have the same issue:
[AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;certs+Operation;;OP_ADD+Resource;;caaudit+cert;;-----BEGIN CERTIFICATE-----MIIB/TCCAaOgAwIBAgIBFjAKBggqhkjOPQQDAjBZMRowGAYDVQQKDBFwa2ktY2EtMDUzMGVjLWNmdTEaMBgGA1UECwwRcGtpLWNhLTA1MzBlYy1jZnUxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTgwNjA3MDA1NTIzWhcNMTgxMjA0MDE1NTIzWjAUMRIwEAYDVQQDDAljYWF1ZGl0b3IwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATU3WhvDYIE8vHNuG7zoFRHoAZCsg1e4592bf2B1zI0JGzmO/3iADL4m3+oisg2g1/xXYpqMBk3b66TcmbK6rFoo4GgMIGdMB8GA1UdIwQYMBaAFAxZCqNzcGTmNBBE0NZrzHKIh3+aMEsGCCsGAQUFBwEBBD8wPTA7BggrBgEFBQcwAYYvaHR0cDovL2RoY3AtMTYtMTE5LnNqYy5yZWRoYXQuY29tOjE4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgPYMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAKBggqhkjOPQQDAgNIADBFAiEAr8EaOsJ7Js3G8vcmOqDGWeg0oFP1rGJiYgvn3dragQwCIEEKkYN61qFEaCk2KuaLOpsNnCFlpFeFu6aWoZoYJU8v-----END CERTIFICATE-----] role configuration parameter(s) change
Comment 7 Christina Fu 2018-06-26 16:53:48 UTC 
https://review.gerrithub.io/c/dogtagpki/pki/+/416765


commit e3c0a58596d969d0fe4a25b8ad087bc3f1cf1462 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu.redhat.com>
Date:   Mon Jun 25 18:38:20 2018 -0700

    Ticket 3003 AuditVerify failure due to line breaks
    
    This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks
    in audit entry from running pki ca-user-cert-add which would cause AuditVerify
    to fail. (note: adding user cert via the java console does not have such issue)
    
    fixes https://pagure.io/dogtagpki/issue/3003
    
    Change-Id: Iac60089349e78755ff94ce3231ee294ce8668f72
Comment 10 Roshni 2018-07-30 15:28:42 UTC 
[root@nocp1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.5.9
Release     : 3.el7
Architecture: noarch
Install Date: Thu 26 Jul 2018 10:45:40 AM EDT
Group       : System Environment/Daemons
Size        : 2451202
License     : GPLv2
Signature   : RSA/SHA256, Mon 23 Jul 2018 07:23:55 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.5.9-3.el7.src.rpm
Build Date  : Mon 23 Jul 2018 07:10:18 PM EDT
Build Host  : ppc-042.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Verification steps in https://bugzilla.redhat.com/show_bug.cgi?id=1595606#c5 and https://bugzilla.redhat.com/show_bug.cgi?id=1595606#c7
Comment 12 errata-xmlrpc 2018-10-30 11:07:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195