Bug 692766

Summary: Certmonger generates certificate on providing incorrect NSS database PIN
Product: Red Hat Enterprise Linux 6 Reporter: Kaleem <ksiddiqu>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.1CC: dpal, jgalipea, kchamart
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.46-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 17:37:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kaleem 2011-04-01 05:11:24 UTC 
Description of problem:
Certmonger generates certificate on providing incorrect NSS database PIN.
In this scenario, NSS database PIN is null.


Version-Release number of selected component (if applicable):



How reproducible:
Try to issue a certificate by providing incorrect PIN.

Steps to Reproduce:
1.Install certmonger

  [root@mars ~]# yum install certmonger
--> Running transaction check
---> Package certmonger.x86_64 0:0.40-1.el6 will be installed
--> Processing Dependency: libtevent.so.0()(64bit) for package: certmonger-0.40-1.el6.x86_64
--> Running transaction check
---> Package libtevent.x86_64 0:0.9.8-8.el6 will be installed
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
Installing:
 certmonger                             x86_64                             0.40-1.el6                                rhel6                             190 k
Installing for dependencies:
 libtevent                              x86_64                             0.9.8-8.el6                               rhel6                              18 k
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : libtevent-0.9.8-8.el6.x86_64                                                                                                              1/2 
  Installing : certmonger-0.40-1.el6.x86_64                                                                                                              2/2 
duration: 60(ms)
Installed products updated.
Installed:
  certmonger.x86_64 0:0.40-1.el6                                                                    Dependency Installed:
  libtevent.x86_64 0:0.9.8-8.el6                                                                   
Complete!
[root@mars ~]#

2.start certmonger service

  [root@mars ~]# service certmonger start
Starting certmonger:                                       [  OK  ]
[root@mars ~]#

3.create a temp directory and change its SELinux security context to type cert_t.

  [root@mars ~]# mkdir /tmp/kaleem
[root@mars ~]# chcon -t cert_t /tmp/kaleem/
[root@mars ~]#

4.Now issue a certificate request with incorrect NSS database PIN

  [root@mars ~]# getcert request -d /tmp/kaleem/ -n test -c SelfSign -P "incorrect"
New signing request "20110331233234" added.

[root@mars ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110331233234':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/tmp/kaleem',nickname=test,pin=incorrect
	certificate: type=NSSDB,location='/tmp/kaleem',nickname=test,token='NSS Certificate DB'
	CA: SelfSign
	issuer: CN=mars.lab.eng.pnq.redhat.com
	subject: CN=mars.lab.eng.pnq.redhat.com
	expires: 20120331233234
	dns: mars.lab.eng.pnq.redhat.com
	principal name: host/mars.lab.eng.pnq.redhat.com
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes
[root@mars ~]#
  
Actual results:
Certificate is generated and monitored by certmonger.

Expected results:
Certmonger should throw an alert message that NSS database PIN is incorrect.
Comment 5 Kaleem 2011-09-22 09:08:25 UTC 
Verified.

RHEL Version:
=============
[root@dhcp201-220 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)

Certmonger Version:
==================
[root@dhcp201-220 ~]# rpm -q certmonger 
certmonger-0.46-1.el6.x86_64

Steps used to verify:
=====================
(1)Install certmonger and nss-tools

[root@dhcp201-220 ~]# yum install certmonger nss-tools
Loaded plugins: product-id, subscription-manager
Updating certificate-based repositories.
Installed products updated.
.
.
.
Installed:
  certmonger.x86_64 0:0.46-1.el6                                              nss-tools.x86_64 0:3.12.10-10.el6                                             
Complete!
[root@dhcp201-220 ~]#

(2)Start certmonger service (Make sure Dbus service is running)

[root@dhcp201-220 ~]# service certmonger start
Starting certmonger:                                       [  OK  ]

(3)Make temp directory and change it into NSS db.Also change selinux context so that key-pairs can be generated.
[root@dhcp201-220 ~]# mkdir /tmp/kaleem

[root@dhcp201-220 ~]# chcon -t cert_t /tmp/kaleem/

[root@dhcp201-220 ~]# ls -lZ /tmp/ |grep kaleem
drwxr-xr-x. root root unconfined_u:object_r:cert_t:s0  kaleem

[root@dhcp201-220 ~]# certutil -W -d /tmp/kaleem/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
[root@dhcp201-220 ~]#

NOTE:Here NSS db password is null.

(4)Now try to generate a certifiate in this NSS db on providing Incorrect NSS db PIN.

[root@dhcp201-220 ~]# getcert request -d /tmp/kaleem/ -n test -c SelfSign -P "incorrect"
New signing request "20110922091755" added.

(5)Now see the certificate request status

[root@dhcp201-220 ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110922091755':
	status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
	stuck: yes
	key pair storage: type=NSSDB,location='/tmp/kaleem',nickname='test',pin='incorrect'
	certificate: type=NSSDB,location='/tmp/kaleem',nickname='test'
	CA: SelfSign
	issuer: 
	subject: 
	expires: unknown
	track: yes
	auto-renew: yes
[root@dhcp201-220 ~]#


Result:
======
Now the certificate request status is "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" instead of "MONITORING" on providing incorrect NSS db pin.

Status changes to "MONITORING" on providing correct PIN with "getcert resubmit".
Comment 6 errata-xmlrpc 2011-12-06 17:37:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1708.html