Bug 492543

Summary: agent authentication failing with signed CMC requests
Product: [Retired] Dogtag Certificate System Reporter: David Stutzman <david.k.stutzman2.ctr>
Component: AuthenticationAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: awnuk, benl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:33:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
snippet of debug log from Dogtag
none
snippet of debug log from RHCS7 for comparison
none
just to make debug log messages more accurate none

Description David Stutzman 2009-03-27 11:42:26 UTC 
Created attachment 336993 [details]
snippet of debug log from Dogtag

Description of problem:
When I send an agent-signed CMC enrollment request to the CMC servlet, it fails with "ProfileSubmitServlet: authentication error Invalid Credential."

I'm fairly confident the CMC requests are OK as we are sending the same ones to Red Hat 7.1 CAs and they are working fine.  I am experiencing this error on freshly setup Dogtag CAs.  We can do SSL client auth to the Agent interface webpages with our browsers and the credential we supply works fine so we're pretty sure the agent cert piece is set up correctly as well.

I'm also fairly certain this used to work when I've tested in the past.  I looked through bugzilla for CMC bugs, found 4 (3 were mine), and it was fixed almost a year ago so I doubt that was it.

Version-Release number of selected component (if applicable):
     1  dogtag-pki-ca-ui-1.0.0-10.fc8
     2  dogtag-pki-common-ui-1.0.0-12.fc8
     3  dogtag-pki-console-ui-1.0.0-6.fc8
     4  osutil-1.0.0-6.fc8
     5  pki-ca-1.0.0-35.fc8
     6  pki-common-1.0.0-56.fc8
     7  pki-console-1.0.0-15.fc8
     8  pki-java-tools-1.0.0-8.fc8
     9  pki-native-tools-1.0.0-5.fc8
    10  pki-selinux-1.0.0-7.fc8
    11  pki-setup-1.0.0-20.fc8
    12  pki-util-1.0.0-12.fc8
    13  symkey-1.0.0-8.fc8

How reproducible:
I get the same behavior whether I send a DER encoded CMC request to the CMC servlet (/ca/ee/ca/profileSubmitCMCFull) or pasting a Base64 encoded request into the "Signed CMC-Authenticated User Certificate Enrollment" profile on the end entity web enrollment page.

Steps to Reproduce:
1. Create CMC request signed with credentials that are configured as agent on CA
2. send request to CA (using either DER/Base64 method above)
  
I've attached debug logs showing Dogtag vs RHCS7 which is the error vs success case.  The Dogtag process dies relatively early.  What I noticed is after they output "ProfileSubmitServlet: set sslClientCertProvider", RHCS makes an LDAP connection and comes back with my agent entry (I assume it took the cert from CMC's SignerInfo and searched in the directory for it) whereas Dogtag doesn't show the LDAP connection even being tried.
Comment 1 David Stutzman 2009-03-27 11:43:12 UTC 
Created attachment 336994 [details]
snippet of debug log from RHCS7 for comparison
Comment 2 David Stutzman 2009-03-27 11:49:30 UTC 
Forgot to mention, a co-worker tried sending raw CRMFs to the bulkissuance servlet and that was successful, but as that also uses SSL client auth that would be expected.
Comment 3 Christina Fu 2009-06-05 17:03:22 UTC 
Created attachment 346685 [details]
just to make debug log messages more accurate
Comment 4 Christina Fu 2009-06-05 17:04:12 UTC 
I just fixed https://bugzilla.redhat.com/show_bug.cgi?id=502861, and after that, CMC enrollment seems to be fine.  I do not see either Authentication or Authorization error.  This is working for both base 64 encoding from the caCMCUserCert profile at EE page, and for the CMC servlet (ca/ee/ca/profileSubmitCMCFull).

I am checking in changes to the log messages for profileSubmitCMCFull here since all log messages are saying "ProfileSubmitServlet" instead of "ProfileSubmitCMCServlet" and that's misleading and does not help with debugging.
Comment 5 Andrew Wnuk 2009-06-05 17:07:02 UTC 
attachment (id=346685) +awnuk
Comment 6 Christina Fu 2009-06-05 17:11:27 UTC 
[cfu@jaw common]$ pwd
/home/cfu/dogtag/src0/pki/base/common
[cfu@jaw common]$ svn commit src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
Sending        src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
Transmitting file data .
Committed revision 553.
Comment 7 David Stutzman 2009-06-05 18:14:50 UTC 
I have tested and can confirm that I can both paste in Base64 CMC in webpage or hit the servlet with a DER request and I get a cert back.  However, I'm still being stuck with bug 441544 which causes the freshly issued cert to be expired immediately.

Thanks!
Comment 8 Kashyap Chamarthy 2009-06-21 10:14:39 UTC 
Verified(with june-18-build). sending a CMC request using "Signed CMC-Authenticated User Certificate Enrolment" in the EE pages succeeds.