Bug 1595606
| Summary: | AuditVerify failure due to line breaks [rhel-7.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | pki-core | Assignee: | Christina Fu <cfu> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | high | ||
| Version: | 7.5 | CC: | aakkiang, cfu, mharmsen, msauton, rpattath |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.1-14.el7_5 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, the CONFIG_ROLE audit event contained line breaks when a role user's certificate was updated using the "pki cli" command. However, the AuditVerify utility treated each line as a separate audit entry. As a consequence, the utility failed when such CONFIG_ROLE events existed in the audit log. This update removes the line breaks from such CONFIG_ROLE event. As a result, AuditVerify can now correctly verify the mentioned event entry.
|
Story Points: | --- |
| Clone Of: | 1572432 | Environment: | |
| Last Closed: | 2018-08-16 14:20:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1572432 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-06-27 08:17:01 UTC
commit 1f5e857759cb822093cdc20125fa4d0990432356 (gerrit/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date: Mon Jun 25 16:46:36 2018 -0700
Ticket 3003 AuditVerify failure due to line breaks
This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks
in audit entry from running pki ca-user-cert-add which would cause AuditVerify
to fail. (note: adding user cert via the java console does not have such issue)
fixes https://pagure.io/dogtagpki/issue/3003
Change-Id: I52814714acebd29774abf0eb66aef3655ef2adb9
Test procedure: * Perform add cert to a role user using pki cli command as examplified in https://bugzilla.redhat.com/show_bug.cgi?id=1572432#c6 (Don't use Java Console to do that, as the bug did not affect it in the first place) * Observe that the CONFIG_ROLE audit entry no longer contains line breaks for the cert b64. * Additionally, run AuditVerify to see that the entry should be verifiable. Verified using the follwoing build [root@cloud-qe-09 ~]# rpm -qi pki-ca Name : pki-ca Version : 10.5.1 Release : 14.el7_5 Architecture: noarch Install Date: Tue 17 Jul 2018 02:54:39 PM EDT Group : System Environment/Daemons Size : 2451469 License : GPLv2 Signature : (none) Source RPM : pki-core-10.5.1-14.el7_5.src.rpm Build Date : Tue 03 Jul 2018 05:22:16 PM EDT Build Host : ppc-016.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority Verification steps: 1. Install CA using build pki-ca-10.5.1-13.1 and add role user and add a cert to the user, when audit log has the following: 0.http-bio-31443-exec-22 - [12/Jul/2018:09:55:47 EDT] [14] [6] [AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature of audit buffer just flushed: sig: LGPubJVykiP8ly5aNO94nqllCU6kXzc+h4WbAop7o64D9IdfJXglZYo71cgECGXwwIARql2CfnBphQE54iH1w3sqmoFJrhFdQBTuzdgUTpWH9vJzuMKGePrX9x3UocbOUcKjuQY5h0b7jP+hfU/qsH2Akq9x8zxpxY5b/BzRJHCcerCM2aVhgYrHI5XaSM2aEXNZNCGecOWLNhWzjPb1Zc52W/qpngXUIdS12ImR92tbjKV4U1UCJzwE15uvNjDPyP/45csR+1/yOmSkj4+nTVglX9PSKLn1/nRbnhAd6aHyRauxPeQwuvals5gX4Wv2OqkLEbKGS+BnKWi93ZXFtg== 0.http-bio-31443-exec-22 - [12/Jul/2018:09:55:47 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.addUserCert] authorization success 0.http-bio-31443-exec-22 - [12/Jul/2018:09:55:47 EDT] [14] [6] [AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;certs+Operation;;OP_ADD+Resource;;SubCAadminV+cert;;-----BEGIN CERTIFICATE----- MIIDtDCCApygAwIBAgIECX+YmTANBgkqhkiG9w0BAQsFADBTMRYwFAYDVQQKEw1F^M eGFtcGxlLVN1YkNBMRgwFgYDVQQLEw9wa2ktc3ViY2EtSnVsMTExHzAdBgNVBAMT^M FkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTgwNzEyMTM1MzExWhcNMTkwMTA4^M MTQ1MzExWjA0MRswGQYKCZImiZPyLGQBAQwLU3ViQ0FhZG1pblYxFTATBgNVBAMM^M DFN1YkNBIGFkbWluVjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8n^M 0SaS8rzcha35MxR5JHEOflLgSoogQAvHFQvcUnXE6G5y6M8MCcl6DnzuFB450R53^M c1Pzw8Wl9VhQ9ic+sX6+di7sVA0K6A+f2tMWUoJKJqLo3sk3V1rIhba8kyrAOE6F^M MnjzvyR06ZGFHoMxRgQGM76rUJ/9sewONCf2iZc7NWR07y67i1Kig7nCIwp7OqOw^M uO6wCl0ma7E/yolEj2XX+MBv6wQ1VmkoSFwMoijQ+Wf+pE+O7NJjt/MLp5JQUD0B^M 207B+g3de+MF24uh+nQUYzfPePd+OWKgav6uXYFuU67OAP75G472p/XmPvD5uGxQ^M 53NuZe4NL0TH9OtoUOECAwEAAaOBrjCBqzAfBgNVHSMEGDAWgBTOlz1sQrXI53Jd^M eREtanyRYcdYNjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly9j^M bG91ZC1xZS0wOS5pZG1xZS5sYWIuZW5nLmJvcy5yZWRoYXQuY29tOjMxMDgwL2Nh^M L29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF^M BQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAumuhXU1ICcJqvX84rppyIAip/jpZm7hh^M sP0A82/151lLNNS52/7J1Okfgv6aJYaHdT+HZy6MKTEy7XapNqYcwjZGmQAOh44z^M 6+0UIjo+8dHxTEIv2iwYwaNt8ybrgWsAdHnzM3L7sfaMHOa5VqS1vq4FIsLugKrd^M hn+DxXS2nChyd7gxfw/f2HdEXePwKMNNA+pG/iyb3I1nD5YCOxNtx0yy23tn8cFC^M RCVj+Ni6J5gT79RGd+dpGfVaXsC7ngXpCUDNru1XOiZtp9uwN02+LbWvmKeglt3Q^M amXfvQK/Glz5LAhf6qFCXlk/8/qUJKvO8pxTq+BktXnnvO9LouKmQA==^M -----END CERTIFICATE-----] role configuration parameter(s) change And AuditVerify gives the following output [jsmith@cloud-qe-09 certs_db]$ AuditVerify -d /home/jsmith/certs_db -n "SubCA Audit Signing Certificate" -a audit.txt Enter password for NSS FIPS 140-2 User Private Key ====== File: ca_audit ====== Line 340: VERIFICATION FAILED: signature of ca_audit:316 to ca_audit:339 Line 557: VERIFICATION FAILED: signature of ca_audit:533 to ca_audit:556 Verification process complete. Valid signatures: 697 Invalid signatures: 2 Upgrade the environment with the latest test builds pki-ca-10.5.1-14.el7_5.noarch (and associates pki-core and RHCS pkgs). Add a role user and add a cert to the user, audit log has the following: 0.http-bio-31443-exec-14 - [17/Jul/2018:16:06:08 EDT] [14] [6] [AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;certs+Operation;;OP_ADD+Resource;;CAadminC+cert;;-----BEGIN CERTIFICATE-----MIIDrjCCApagAwIBAgIECUYunjANBgkqhkiG9w0BAQsFADBTMRYwFAYDVQQKEw1FeGFtcGxlLVN1YkNBMRgwFgYDVQQLEw9wa2ktc3ViY2EtSnVsMTExHzAdBgNVBAMTFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTgwNzE3MTk1ODE3WhcNMTkwMTEzMjA1ODE3WjAuMRgwFgYKCZImiZPyLGQBAQwIQ0FhZG1pbkMxEjAQBgNVBAMMCUNBIGFkbWluQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOhFwgBvYYTQFROvkZTMxT0Uz/DawX5wXSlolLyry2IwE2amf349tiA7VGc/jZaP54a4ippTAXzidBbBHrKaPsU8WLr4ooCRnoT4n8eiZFFT2sqOanUNpsiz7GS/Ge9rIyx+CdkIrW69PoTG3z2sb5vpnvOSZOe1g9F7xfcPD4QeiYEJxz1JbwirDLIUIqYmhsXLpISXyqSvJ/s/xo0fL7w5NC8MV/z1ExwlwfQXiawY6MMtllSGFSOcBfIatCA68W/Y8PVY2sIjsZ7U1so7iBuTrbD8aqGGcVooP0HRnUNuZW9/Q1DbbcsHxMv+xpSIGcHX61geoN6BMYxkC9NwDc0CAwEAAaOBrjCBqzAfBgNVHSMEGDAWgBTOlz1sQrXI53JdeREtanyRYcdYNjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly9jbG91ZC1xZS0wOS5pZG1xZS5sYWIuZW5nLmJvcy5yZWRoYXQuY29tOjMxMDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAtY83ZnOqNMWGgRRRPzrQhOyodcA+dLUBtYZfAfCfZ7MmaCTsBK0DC8siEHUG+UnRArSqvlzVj25SUJ5mnCg5aCnhRYermzpTX6ewHlAtYKHGnlg3Kz3K57AyhSXHxOb9eYUlBPH9lukEHy65rr2D6DyzhbZdbpi9CWbPhYdMRFrBohlpnP3T0JL16aYUgfXBLy+ZlDz3H2k1Qs25E819vkjf8n8R9GhZhgrAjeqz/uVejPIQMLYZvwVpihj2JjAbMJQ4avXqrVVD38dFOT9GfkfRFCHnHoFgB3wcxesS6K7O8xYkGYKmvUKBEVj6P8hSWjQts6lGNLQLW/2e+mzT0g==-----END CERTIFICATE-----] role configuration parameter(s) change AuditVerify does not show any new failure. [jsmith@cloud-qe-09 certs_db]$ AuditVerify -d /home/jsmith/certs_db -n "SubCA Audit Signing Certificate" -a audit.txt Enter password for NSS FIPS 140-2 User Private Key ====== File: ca_audit ====== Line 340: VERIFICATION FAILED: signature of ca_audit:316 to ca_audit:339 Line 557: VERIFICATION FAILED: signature of ca_audit:533 to ca_audit:556 Verification process complete. Valid signatures: 697 Invalid signatures: 2 Tested with freshly installed pki subsystem instances using the build in comment 5 no errors were noticed in Audit verify. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2306 |