Bug 1378313 - Test case Failure:: CERT-9915 - RHCS-TC: Agent-Authenticated File Signing" alters file digest for "logo_header.gif"
Summary: Test case Failure:: CERT-9915 - RHCS-TC: Agent-Authenticated File Signing" al...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-22 06:16 UTC by Geetika Kapoor
Modified: 2020-11-13 20:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-01 03:03:05 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Geetika Kapoor 2016-09-22 06:16:21 UTC 
Description of problem:

I tried to perform same steps but i used 

wget https://en.wikipedia.org/wiki/Image
Version-Release number of selected component (if applicable):

pki-ca 10.3.3.10
How reproducible:
always 

Steps to Reproduce:
1.Follow the test case mentioned in polarion 
 CERT-9915 - RHCS-TC: Agent-Authenticated File Signing" alters file digest for "logo_header.gif" 
2.Just use url as https://en.wikipedia.org/wiki/Image
3.

Actual results:

I have used https://en.wikipedia.org/wiki/Image url and i got below exception:

CA EE UI: Cann't locate file 

Debug logs:
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: CertProcessor: request 1000000005
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: CertProcessor: populating request inputs
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: FileSigningInput populate failure java.lang.NegativeArraySizeException
Cannot locate file
        at com.netscape.cms.profile.input.FileSigningInput.populate(FileSigningInput.java:122)
        at com.netscape.cms.profile.common.BasicProfile.populateInput(BasicProfile.java:1078)
        at com.netscape.cms.profile.common.EnrollProfile.populateInput(EnrollProfile.java:1325)
        at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:361)
        at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:181)
        at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96)
        at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:243)
        at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at sun.reflect.GeneratedMethodAccessor35.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)




Expected results:


Additional info:

[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: EnrollProfile: createRequest 1000000005
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: CertProcessor: profileSetid=serverCertSet
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: CertProcessor: request 1000000005
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: CertProcessor: populating request inputs
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: FileSigningInput populate failure java.lang.NegativeArraySizeException
Cannot locate file
        at com.netscape.cms.profile.input.FileSigningInput.populate(FileSigningInput.java:122)
        at com.netscape.cms.profile.common.BasicProfile.populateInput(BasicProfile.java:1078)
        at com.netscape.cms.profile.common.EnrollProfile.populateInput(EnrollProfile.java:1325)
        at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:361)
        at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:181)
        at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96)
        at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:243)
        at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at sun.reflect.GeneratedMethodAccessor35.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)

        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at sun.reflect.GeneratedMethodAccessor34.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: ProfileSubmitServlet: error in processing request: Cannot locate file
[22/Sep/2016:19:15:01][http-bio-20443-exec-6]: CMSServlet: curDate=Thu Sep 22 19:15:01 IST 2016 id=caProfileSubmitSSLClient time=793
Comment 1 Matthew Harmsen 2016-09-22 22:13:32 UTC 
Moving from rhel-7.3.0 ==> rhel-7.4.0 per discussions with gkapoor and aakkiang.
Comment 2 Matthew Harmsen 2018-07-04 00:06:03 UTC 
Moved to RHEL 7.7.
Comment 3 Pritam Singh 2018-09-12 13:50:34 UTC 
Description of problem:

I am trying to perform the same steps but instead used httpd to host logo_header.gif image on base machine.

Steps: 

1. Install httpd and start the service.
2. Copy the logo_header.gif inside /var/www/html/
3. wget http://intel-chiefriver-02.khw.lab.eng.bos.redhat.com/logo_header.gif
4. Follow the test case https://polarion.engineering.redhat.com/polarion/#/project/CERT/workitem?id=CERT-9915

Version of pki: PKI Command-Line Interface 10.5.9-6.el7

Reproduction Steps:

5. />$ sha256sum logo_header.gif 
6. In the EE, Go to "Agent-Authenticated File Signing" enrollment
7. Provide the url : <http://intel-chiefriver-02.khw.lab.eng.bos.redhat.com/logo_header.gif> 
8. Specify the requester name: admin and click on submit

Expected Result: 

The digest SHA256 that is shown on EE should match with output of SHA256sum command run over the log_header.gif file.

Actual Result:

Getting Exception Related to missing subject name:

Debug Log:

[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: CMSServlet: in auditSubjectID
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@d0500c9, userid=caadmin, profileContext=com.netscape.cms.profile.common.ProfileContext@48079f0d, authManagerId=AgentCertAuth}
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: CMSServlet auditSubjectID: subjectID: caadmin
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: CertProcessor.submitRequest: calling profile submit
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: EnrollProfile: submit: begins
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: EnrollProfile: submit: popChallengeRequired =false
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: RequestRecord.loadExtDataFromRequest: missing subject name. Processing extracting subjectName from req_x509info
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: In LdapBoundConnFactory::getConn()
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: masterConn is connected: true
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: getConn: conn is connected true
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: getConn: mNumConns now 2
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: returnConn: mNumConns now 3
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: EnrollProfile: submit:  auth token is not null
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: EnrollProfile.validate: start
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: EnrollProfile.validate: cert subject name:CN=(Name)admin(Text)(Size)1316(DigestType)SHA256(Digest)62c533044eed316b51c990e63149a6412f0ba6e9dc74ebf8cbcdec0550117706
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: SignedAuditLogger: event PROFILE_CERT_REQUEST
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: BasicProfile: validate start on setId=serverCertSet
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: SubjectNameConstraint: validate start
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: SubjectNameConstraint: validate start
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: SubjectNameConstraint: validate cert subject =CN=(Name)admin(Text)(Size)1316(DigestType)SHA256(Digest)62c533044eed316b51c990e63149a6412f0ba6e9dc74ebf8cbcdec0550117706
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: SubjectNameConstraint: validate() - sn500 dname = CN=(Name)admin(Text)(Size)1316(DigestType)SHA256(Digest)62c533044eed316b51c990e63149a6412f0ba6e9dc74ebf8cbcdec0550117706
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: CertProcessor: submit Invalid Subject Name CN=(Name)admin(Text)(Size)1316(DigestType)SHA256(Digest)62c533044eed316b51c990e63149a6412f0ba6e9dc74ebf8cbcdec0550117706 [ Invalid fields:  Common Name  ] 
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: SignedAuditLogger: event CERT_REQUEST_PROCESSED
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: RequestRecord.loadExtDataFromRequest: missing subject name. Processing extracting subjectName from req_x509info
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: In LdapBoundConnFactory::getConn()
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: masterConn is connected: true
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: getConn: conn is connected true
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: getConn: mNumConns now 2
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: returnConn: mNumConns now 3
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: EnrollmentSubmitter: done serving
[11/Sep/2018:11:40:01][http-bio-8443-exec-17]: CMSServlet: curDate=Tue Sep 11 11:40:01 EDT 2018 id=caProfileSubmitSSLClient time=31
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: findNextUpdate:  fromLastUpdate: true  delta: false
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: findNextUpdate:  Tue Sep 11 11:40:15 EDT 2018  delay: 0
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: CRLIssuingPoint:run(): before CRL generation
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: updateCRLNow: mEnable =true
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: updateCRLNow: mEnableCRLUpdates =true
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: updateCRLNow: mDoLastAutoUpdate =false
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: Updating CRL
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: findNextUpdate:  fromLastUpdate: false  delta: false
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: findNextUpdate:  Tue Sep 11 11:41:15 EDT 2018
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: Signing Certificate
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: In LdapBoundConnFactory::getConn()
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: masterConn is connected: true
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: getConn: conn is connected true
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: getConn: mNumConns now 2
[11/Sep/2018:11:40:15][CRLIssuingPoint-MasterCRL]: ByteArrayMapper:mapObjectToLDAPAttributeSet deltaRevocationList size=506
Comment 4 Christina Fu 2020-02-11 20:25:45 UTC 
Marc, Do we know of any customers using this feature?  If not, we will create an upstream ticket and close it out on RHEL bugzilla.  Thanks!
Comment 5 amitkuma 2020-03-31 04:05:09 UTC 
Hello Fu,
There is no support case attached to the bugzilla that means no customer is using this as of now.
You can create upstream ticket, we will reopen this or create New bugzilla if some customer uses this feature.
Comment 8 RHEL Program Management 2020-11-01 03:03:05 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Note You need to log in before you can comment on or make changes to this bug.