Bug 1653163

Summary: certmap fails when Issuer DN has comma in name
Product: Red Hat Enterprise Linux 7 Reporter: Fraser Tweedale <ftweedal>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: bsmejkal, cpelland, lkrispen, msauton, nkinder, pasik, rmeggins, spichugi, tbordaz, vashirov
Target Milestone: rcKeywords: ZStream
Target Release: 7.7   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.9.1-1.el7 Doc Type: Bug Fix
Doc Text:
Cause: certmap.conf parsing did not normalize Distinguished Names (DN) correctly. Consequence: certmap.conf processing failed and did not allow client authentication to take place. Fix: Properly normalize the DN's in certmap.conf Result: TLS client authentication works correctly regardless of the DN format used in certmap.conf
 Story Points: ---
Clone Of:
: 1653165 1660120 (view as bug list) Environment:
Last Closed: 2019-08-06 12:59:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1653165, 1660120    

Description Fraser Tweedale 2018-11-26 06:25:54 UTC 
(Clone of https://pagure.io/389-ds-base/issue/49543)

Description of problem:

When issuer Dn has a comma in it (or presumably other characters that reqiure escaping),
certmap fails because a comparison between the stringified Issuer DN from the certificate,
and the issuer DN from the certmap file, fails. For example, if the Issuer DN is:

  CN=Certificate Authority,O="Acme, Inc.",ST=Massachusetts,C=US

This gets read from the certificate via the ldapu_get_cert_issuer_dn, which uses
NSS' CERT_NameToAscii to return a stringified version of the DN. CERT_NameToAscii
uses the RFC 1485 rules to serialise the DN, so the string looks like:

  CN=Certificate Authority,O="Acme, Inc.",ST=Massachusetts,C=US

This string then gets processed by ldapu_dn_normalize which turns it into:

  CN=Certificate Authority,O="Acme, Inc.",ST=Massachusetts,C=US

, which is wrong.

The comparison then fails when compared with the DN in the certmap.conf, which
is properly escaped (a basic strcasecmp):

  CN=Certificate Authority,O=Acme\, Inc.,ST=Massachusetts,C=US


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:

1.    configure a certmap with an issuer that has comma in a name.
2.    attempt certificate bind with valid certificate issued by the certmap issuer.


Actual results:

Bind fails, and doesn't even reach the internal search op for a user
matching the certificate. (failure to match the issuer caused fallback to default certmap).


Expected results:

Bind succeeds, or at least uses the correct certmap such that internal search ops to look
up a matching user are executed.


Additional info:
Comment 2 Fraser Tweedale 2018-11-26 06:33:13 UTC 
Requesting for 7.6.z and 7.7.

Patch has been merged to 389-ds-base upstream master (70bdd335d151e58e227fc2263ece9aedc0803152).  Moving to POST.
Comment 5 bsmejkal 2019-05-06 11:00:19 UTC 
Hi Fraser,
did you manage to reproduce this bug outside of IPA context? If so, could you provide the steps for verifying on 389-ds-base, please?
If not, will there be a release of certmonger for RHEL 7.7 with fixes for this issue? 
I can't verify this bug with certmonger because the patch https://pagure.io/certmonger/pull-request/108 is not applied cleanly to the old build.
We tried to build a custom package of certmonger for RHEL 7.7 but we weren't successful to apply the patch and therefore we are blocked.

Thanks.
Comment 6 Fraser Tweedale 2019-05-08 11:36:30 UTC 
I haven't got a non-IDM reproducer.  I'll bump up the priority.  Keeping needinfo.
Comment 7 bsmejkal 2019-06-06 14:29:43 UTC 
Hi Fraser,
any news on the non-IDM reproducer or certmonger release? We would like to verify this bug as soon as possible.
Thanks.
Comment 8 bsmejkal 2019-06-07 15:48:19 UTC 
389-ds-base-1.3.9.1 contains applied patch with required changes.


Build tested:
389-ds-base-1.3.9.1-8.el7.x86_64

Issuer in cert:
Issuer: C = US, ST = Massachusetts, O = "Acme, Inc.", CN = "Acme, Inc."

Issuer in certmap.conf:
certmap default CN=Acme\, Inc.,O=Acme\, Inc.,ST=Massachusetts,C=US

User bind with certificate is successful.


Marking as VERIFIED, SanityOnly.
Comment 10 errata-xmlrpc 2019-08-06 12:59:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2152
Comment 11 Fraser Tweedale 2021-01-08 02:43:15 UTC 
Bug was verified; removing very ancient needinfo.