Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/pki/ticket/2561 It was observed that when audit signing logs rotate, the first signature entry in the next log file (for the last entries of the previous rotated log file) would sometimes fail to verify. To reproduce, set log.instance.SignedAudit.maxFileSize to a small number (e.g. 3) and restart the server; Do a few issuance to cause some entries to be written and rotate; run AuditVerify to observe.
Steps to reproduce: 1. Install CA. By default log signing is disabled, so there are no signatures. 2. Run pki-server ca-audit-file-verify. 3. Set log.instance.SignedAudit.logSigning=true in /etc/pki/pki-tomcat/ca/CS.cfg. 4. Restart Tomcat. This will generate some signatures. 5. Run pki-server ca-audit-file-verify. 6. Set log.instance.SignedAudit.maxFileSize=5 in /etc/pki/pki-tomcat/ca/CS.cfg. 7. Restart Tomcat. This will trigger log rotation since the current log file size already exceeds the limit. It will also generate additional signatures. 8. Run pki-server ca-audit-file-verify. Actual result: * In step 2 the CLI reported 1 invalid signature due to unsigned log. * In step 5 the CLI reported 1 invalid signature due to a bug in AuditVerify when validating the first signature. * In step 8 the CLI reported 2 invalid signatures. The first one is the same as in step 5. The second one is invalid due to a bug on the server during log rotation. Expected result: * In step 2 the CLI should report no invalid signatures because there are no signatures. * In step 5 the CLI should report no invalid signatures because the first signature should be ignored. * In step 8 the CLI should report no invalid signatures because subsequent signatures should be valid regardless of log rotation.
Fixed in master: * https://github.com/dogtagpki/pki/commit/ab2e24b3087368a2aadfcda77323a7d0aa70db80 * https://github.com/dogtagpki/pki/commit/fac7ebb8fd21f60a06241d6e132c8a4f5972a773
Build verified with 10.5.1-5 [root@bkr-hv01-guest02 ~]# yum list pki-* Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Installed Packages pki-base.noarch 10.5.1-5.el7 @RHEL75 pki-base-java.noarch 10.5.1-5.el7 @RHEL75 pki-ca.noarch 10.5.1-5.el7 @RHEL75 pki-console.noarch 10.5.1-3.el7pki @RHCS93 pki-kra.noarch 10.5.1-5.el7 @RHEL75 pki-ocsp.noarch 10.5.1-5.el7pki @RHCS93 pki-server.noarch 10.5.1-5.el7 @RHEL75 pki-symkey.x86_64 10.5.1-5.el7 @RHEL75 pki-tks.noarch 10.5.1-5.el7pki @RHCS93 pki-tools.x86_64 10.5.1-5.el7 @RHEL75 pki-tps.x86_64 10.5.1-5.el7pki @RHCS93 Steps followed as per https://bugzilla.redhat.com/show_bug.cgi?id=1404794#c4 mentioned by Endi Before changing log.instance.SignedAudit.maxFileSize=5 in /etc/pki/topology-02-CA/ca/CS.cfg. [root@bkr-hv01-guest02 ~]# pki-server ca-audit-file-verify -i topology-02-CA Verification process complete. Valid signatures: 155 Invalid signatures: 0 After changing log.instance.SignedAudit.maxFileSize=5 in /etc/pki/topology-02-CA/ca/CS.cfg. Restarted tomcat instance [root@bkr-hv01-guest02 ~]# pki-server ca-audit-file-verify -i topology-02-CA Verification process complete. Valid signatures: 163 Invalid signatures: 0 files created ca_audit ca_audit.20171227124631 New signatures where added due to new log file rotation. Since no invalid signatures found marking this as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925