Bug 1611245
Summary: | Certificate generation happens with partial attributes in CMCRequest file [rhel-7.5.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | pki-core | Assignee: | Christina Fu <cfu> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | high | ||
Version: | 7.5 | CC: | cfu, gkapoor, mharmsen, msauton, rpattath |
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.5.1-15.el7_5 | Doc Type: | Bug Fix |
Doc Text: |
Previously, if a user signed a Certificate Management over CMS (CMC) request using a self-signed profile, Certificate System issued a certificate. This bug has been fixed. As a result, users can now use a self-signed profile when authenticating using the Shared Token method.
|
Story Points: | --- |
Clone Of: | 1601071 | Environment: | |
Last Closed: | 2018-09-25 19:07:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1601071 | ||
Bug Blocks: |
Description
Oneata Mircea Teodor
2018-08-02 08:15:34 UTC
commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, gerrit/DOGTAG_10_5_BRANCH) Author: Christina Fu <cfu> Date: Mon Jul 30 17:15:09 2018 -0700 Bug 1601071 Certificate generation happens with partial attributes in CMCRequest file This patch addresses the issue where when a cmcSelfSisnged profile is used in a cmcUserSigned case, the certificate is issued. A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case. A new constraint CMCSelfSignedSubjectNameConstraint has been introduced to verify. In additional, all profiles that authenticate through CMCUserSignedAuth are turned off by default to allow site administrators to make conscious decision on their own for these features. Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default. Change-Id: I275118d31b966494411888beb37032bb022c29ce Test procedure (You must create a brand new instance to pick up everything in config and profiles): Test 1: could be what's reported in the initial bug description: https://bugzilla.redhat.com/show_bug.cgi?id=1601071#c0 Please note: all profiles that authenticate through CMCUserSignedAuth are turned off by default; So make sure to enable them before testing Test 2: There was a "left over issue (or not)" from https://bugzilla.redhat.com/show_bug.cgi?id=1594128#c12 , and for which I decided to enable audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED by default; So you can test revocation as per described in that bug for this again. doc text looks fine. [root@auto-hv-01-guest03 ~]# rpm -qi pki-ca Name : pki-ca Version : 10.5.1 Release : 15.el7_5 Architecture: noarch Install Date: Tue 11 Sep 2018 03:31:30 PM EDT Group : System Environment/Daemons Size : 2451877 License : GPLv2 Signature : (none) Source RPM : pki-core-10.5.1-15.el7_5.src.rpm Build Date : Mon 13 Aug 2018 11:12:20 PM EDT Build Host : ppc-021.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority Since the profiles are disabled by default, the scenarios explained in the attached testcases of the original bug did not generate certs. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2759 |