Bug 1628410

Summary: CMC: add config to allow non-clientAuth
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.6CC: afarley, cpelland, gkapoor, mharmsen, msauton
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.16-2.el7 Doc Type: Bug Fix
Doc Text:
.Client authentication can now be disabled in Certificate System A previous version of Certificate System added a feature to enforce TLS client authentication when authenticating through CMCAuth. However, certain older applications do not support TLS client authentication and failed to connect to Certificate System. This update adds the `bypassClientAuth` configuration parameter to the `/var/lib/pki/pki-instance_name/ca/conf/CS.cfg` file. As a result, administrators can now set this parameter to `true` to disable client authentication if not supported by certain applications.
 Story Points: ---
Clone Of:
: 1633104 (view as bug list) Environment:
Last Closed: 2019-08-06 13:07:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1633104    

Description Christina Fu 2018-09-12 23:57:08 UTC 
Description of problem:
currently, CA requires CMC requests to be submitted via TLS client authentication.
If a site doesn't wish to pose such requirement it is not possible.

Version-Release number of selected component (if applicable):

pki-core

How reproducible:
always

Steps to Reproduce:
1.Try any of the CMC enrollment methods.
2.
3.

Actual results:
requires TLS clientAuth

Expected results:
allows to configure otherwise.

Additional info:
This is a customer request
Comment 6 Christina Fu 2018-09-25 18:11:33 UTC 
commit 19120d14941b5964a728ab06b0406be3ddeff5d4 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date:   Tue Sep 18 16:13:29 2018 -0700

    Bug1628410 CMC: add config to allow non-clientAuth
    
    This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg
    to allow agents to bypass clientAuth requirement in CMCAuth.
    Default value for cmc.bypassClientAuth is false.
    
    In addition, CMC enrollment profile caCMCUserCert "visible" value is
    set to false.
    
    fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410
    
    Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc
Comment 7 Christina Fu 2018-09-25 20:43:47 UTC 
cherry-picked to master:
commit f0a2ce6f3a966fd6f301b0f5ca0a7c100ffdd9ad (ladycfu/bug1628410-CMC-non-clientAuth-master, bug1628410-CMC-non-clientAuth-master)
Author: Christina Fu <cfu>
Date:   Tue Sep 18 16:13:29 2018 -0700

    Bug1628410 CMC: add config to allow non-clientAuth
    
    This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg
    to allow agents to bypass clientAuth requirement in CMCAuth.
    Default value for cmc.bypassClientAuth is false.
Comment 10 Geetika Kapoor 2019-06-24 09:43:15 UTC 
# rpm -qa pki-ca nss jss
jss-4.4.6-1.el7.x86_64
pki-ca-10.5.16-2.el7.noarch
nss-3.44.0-4.el7.x86_64

Test Steps: This is only applicable for Agent Signed Certificates

Test Case 1 : Don't set cmc.bypassClientAuth
============================================

cmc.bypassClientAuth=false (default) ==> It should never bypass

Debug logs:

[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: CMCAuth: verifySignerInfo: missing SSL client authentication certificate;
[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: CMCAuth: No Client Certificate Found
[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: SignedAuditLogger: event CMC_SIGNED_REQUEST_SIG_VERIFY
[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: SignedAuditLogger: event CMC_SIGNED_REQUEST_SIG_VERIFY
[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: ProfileSubmitCMCServlet: authenticate: Invalid Credential.

CMCResponse: 


Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 0 
   Status String: Invalid Credential.
   OtherInfo type: FAIL
     failInfo=bad request
CMC Full Response.
ERROR: CMC status for [0]: failed



Test Case 2: Set cmc.bypassClientAuth=true in CS.cfg 
====================================================

Try this Test case with both Config 1 and Config 2 and it should work.


debug :

[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CMCAuth: verifySignerInfo: missing SSL client authentication certificate; allowed
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CMCAuth: signing key alg=RSA
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CMCAuth: verifying signature with public key
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CMCAuth: finished checking signature
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CertUserDBAuth: started
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CertUserDBAuth: Retrieving client certificate
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CertUserDBAuth: Got client certificate

CMCResponse:

Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   Status: SUCCESS
CMC Full Response.

==============================================
Config 1:
---------
Contents of http.cfg

host=pki1.example.com
port=20080
secure=false

input=cmc.self.req
output=cmc.role_crmf.resp
clientmode=true
#nickname=caadmin
password=SECret.123
#password=SECret.123
dbdir=/root/testing_geetika/nssdb
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert

Config 2:
---------

Contents of http.cfg
host=pki1.example.com
port=20443
secure=true

input=cmc.self.req
output=cmc.role_crmf.resp
clientmode=false
#nickname=caadmin
password=SECret.123
#password=SECret.123
dbdir=/root/testing_geetika/nssdb
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert
Comment 11 Geetika Kapoor 2019-06-24 09:44:46 UTC 
Hi Christina,

I have tried above test cases. Do you feel i should try something else?

Thanks
Geetika
Comment 12 Geetika Kapoor 2019-06-25 12:00:31 UTC 
Marking this bug verified based on above test cases. I will check with Christina later for additinal test cases if i missed something.
Comment 15 errata-xmlrpc 2019-08-06 13:07:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2228
Comment 16 Red Hat Bugzilla 2023-09-14 04:34:46 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days