Bug 1447145
| Summary: | CMC: cmc.popLinkWitnessRequired=false would cause error | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Christina Fu <cfu> | |
| Component: | pki-core | Assignee: | Christina Fu <cfu> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
| Priority: | urgent | |||
| Version: | 7.4 | CC: | arubin, cfu, gkapoor, mharmsen, msauton | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.5.1-6.el7 | Doc Type: | No Doc Update | |
| Doc Text: |
Certificate System now handles requests without POP correctly
Previously, Certificate System failed to execute encrypted Proof-of-Possession (POP) operations, even if the "cmc.popLinkWitnessRequired" parameter in the `/var/lib/pki/<instance_name>/ca/conf/CS.cfg` file was set to "true". This patch adds support for Certificate Management over CMS (CMC) requests without POP. As a result, requests without POP will now be handled correctly.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1472617 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-10 16:58:29 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1472617 | |||
|
Description
Christina Fu
2017-05-01 23:52:29 UTC
commit c95cff5899e2975b16db61b811b626742e5e7114
Author: Christina Fu <cfu>
Date: Mon May 1 17:48:33 2017 -0700
Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error
This patch would fix the issue. It also adds the CMCUserSignedAuth
authentication instance that was missed in the CS.cfg
Test build: rpm -qa pki-ca pki-ca-10.4.1-10.el7.noarch Test steps: 1. Verified CS.cfg and check default value of cmc.popLinkWitnessRequired=false. 2. Executed Self-Signed CMC Request Example (with IdentityProofV2) and User-signed CMC requests Example (with PopLinkWitnessV2) and it worked as expected. Do you think I can try some other use case also for this testing? (In reply to Geetika Kapoor from comment #4) > Test build: > > rpm -qa pki-ca > pki-ca-10.4.1-10.el7.noarch > > Test steps: > > 1. Verified CS.cfg and check default value of > cmc.popLinkWitnessRequired=false. > 2. Executed Self-Signed CMC Request Example (with IdentityProofV2) and > User-signed CMC requests Example (with PopLinkWitnessV2) and it worked as > expected. > > Do you think I can try some other use case also for this testing? This question has been moved to the RHEL 7.4.z bug -- https://bugzilla.redhat.com/show_bug.cgi?id=1472617 Need to reopen this bug. While the cmc.popLinkWitnessRequired param in CS.cfg is working as expected, when it is true, it is impossible to do encryptedPOP because there is no POP to start with and would therefore be rejected. Changing this value and restarting the server is not a reasonable option for most deployment sites. We should add a caveat to the cmc.popLinkWitnessRequired logic so that encryptedPOP is allowed. previous fix did not put PKCS#10 into account. Need to address that. commit d69c11d56d0e1f4368ab21715c2c5496fb08f969 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date: Fri Jan 19 14:45:17 2018 -0800
Ticket #2675 take care of PKCS#10 for cmc.popLinkWitnessRequired
This patch adds support to handle PKCS#10 which was neglected in previous
"additional" fix.
Fixes: https://pagure.io/dogtagpki/issue/2675
Change-Id: Ifc824d64c83f979ffd610658a6e7114598ce8055
(cherry picked from commit 91c6c781e5e2c26b77619e6f4c08dc5d77bb5adf)
commit bb10545e728f0ff86ea4b3899d2de42b2398acfa
Author: Christina Fu <cfu>
Date: Tue Jan 16 18:15:21 2018 -0800
Ticket #2675 additional fix to allow requests without POP
This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism.
Fixes: https://pagure.io/dogtagpki/issue/2675
Change-Id: Id4aab1a85dcaeaa65e625873e617af86b44a271b
(cherry picked from commit c52c51c6516cd39caec52441d0756b1756050ae3)
I am trying it with cmc.popLinkWitnessRequired=true with pkcs10 and crmf.
with crmf it is 2 step but with pkcs10 i see after first step it throws success.Not sure what went wrong.Could you please look into this.
Thanks
Test bits:
=========
rpm -qa pki-*
pki-tools-10.5.1-6.el7.x86_64
pki-ocsp-10.5.1-6.el7pki.noarch
pki-javadoc-10.5.1-5.1.el7.noarch
pki-base-10.5.1-6.el7.noarch
pki-symkey-10.5.1-6.el7.x86_64
pki-server-10.5.1-6.el7.noarch
pki-kra-10.5.1-6.el7.noarch
pki-tks-10.5.1-6.el7pki.noarch
pki-console-10.4.1-7.el7pki.noarch
pki-core-debuginfo-10.5.1-5.1.el7pki.x86_64
pki-base-java-10.5.1-6.el7.noarch
pki-ca-10.5.1-6.el7.noarch
pki-tps-10.5.1-6.el7pki.x86_64
Test Case 2: Set cmc.popLinkWitnessRequired=true with User-signed CMC request Without POP (Encrypted POP / Decrypted POP)
==========================================================================================================================
Test Case 2.1: With PKCS10
---------------------------
Step1 : Set below in both EncryptedPOP and DecryptedPOP cmc file.
-- Add identityProofV2.enable=false
-- Add popLinkWitnessV2.enable=true
-- identification.enable=true
Step2:
PKCS10Client -d /root/nssdb_75 -p SECret.123 -n "cn=userpkcs10, uid=Testing, ou=test" -o user-signed/crmf2.req
PKCS10Client: Debug: got token.
PKCS10Client: Debug: thread token set.
PKCS10Client: token Internal Key Storage Token logged in...
PKCS10Client: key pair generated.
PKCS10Client: CertificationRequest created.
PKCS10Client: b64encode completes.
Keypair private key id: 10bb5031e9396daf2880875825ce291709dcf08f
-----BEGIN CERTIFICATE REQUEST-----
MIICgjCCAWoCAQAwPTENMAsGA1UECwwEdGVzdDEXMBUGCgmSJomT8ixkAQEMB1Rl
c3RpbmcxEzARBgNVBAMMCnVzZXJwa2NzMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCvkLT/bC3N0NqDmSfs7P8tJXsHUFSMvTUTpEJmFH8aK8TQEEZQ
wLta/zohX8layOJPfD9wgmDkPUbmNSR/Y9oguawLwfIP5EakfhU+Pc+B7lGXoaN0
yhOXwsDnDInqFV4d4n8NLS1wpvLHQhOd7OiclJTVM5niV50DniK/TvmaWX7I7mjb
hDMaCHCunAiRxIWMHc2sTi30NCXWOuG9nC1my5bM+32avfFhU7WSEfNWU+1Nj9p5
DU4ASx1mNpGPmJEKWCROVeQkJtXWEGfooyK48qIvztX++riwKvmhV5l+CdeyRICN
7j6p6R0/J7N473V6A1GdFgQO6zbmcrgOC2vRAgMBAAGgADANBgkqhkiG9w0BAQsF
AAOCAQEAGNtkofNEJyYw0rsq1girYme4F5pEYa499+jeuudRUl0qPBYkYVmOQUm3
8+Qyce30OxmxfhWHJOQvS4zk4wXmjRYQl3ULL0bLMEmYutOvZC/zI24L1Wz7odlh
8Kf1kBzpLTQjBlmQLoJVjbqXxExcqe2qMYQqriBnC9u1dHHyoS3CCD4YnGKdUUC5
YYbsbjp4suUKs/Y+jhvf8VCpNtPZan/Wu4gltmAscOLGmWKJV447WykS74B6D+IZ
1kgyd+qC1m1OKPalCTgJC0cWhbgdARcFVG3EEBlAP75JOMe3u/V2664Lg31/KeYI
Oms/WsHdvDi0XEAvnOKkgnjs6V8D+w==
-----END CERTIFICATE REQUEST-----
PKCS10Client: done. Request written to file: user-signed/crmf2.req
2. Run CMCRequest and HttpClient
Audit logs:
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=UID=usercert,CN=usercert][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=EnrollProfile: parseCMC: : ident_s=user2@#$%] Identification Proof of Possession linking witness verification
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=PROOF_OF_POSSESSION][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=method=EnrollProfile: fillTaggedRequest: ] proof of possession
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=55][ProfileID=caFullCMCUserSignedCert][CertSubject=UID=usercert,CN=usercert] certificate request made with certificate profiles
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=55][CertSerialNum=107180564] certificate request processed
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[root@csqa4-guest04 75]# CMCResponse -d . -i user-signed/cmcResp2-round1
Certificates:
Certificate:
Data:
Version: v3
Serial Number: 0x6637214
Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
Issuer: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
Validity:
Not Before: Tuesday, January 30, 2018 1:36:31 PM EST America/New_York
Not After: Sunday, July 29, 2018 1:36:31 PM EDT America/New_York
Subject: UID=usercert,CN=usercert
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
Public Key Modulus: (2048 bits) :
AF:90:B4:FF:6C:2D:CD:D0:DA:83:99:27:EC:EC:FF:2D:
25:7B:07:50:54:8C:BD:35:13:A4:42:66:14:7F:1A:2B:
C4:D0:10:46:50:C0:BB:5A:FF:3A:21:5F:C9:5A:C8:E2:
4F:7C:3F:70:82:60:E4:3D:46:E6:35:24:7F:63:DA:20:
B9:AC:0B:C1:F2:0F:E4:46:A4:7E:15:3E:3D:CF:81:EE:
51:97:A1:A3:74:CA:13:97:C2:C0:E7:0C:89:EA:15:5E:
1D:E2:7F:0D:2D:2D:70:A6:F2:C7:42:13:9D:EC:E8:9C:
94:94:D5:33:99:E2:57:9D:03:9E:22:BF:4E:F9:9A:59:
7E:C8:EE:68:DB:84:33:1A:08:70:AE:9C:08:91:C4:85:
8C:1D:CD:AC:4E:2D:F4:34:25:D6:3A:E1:BD:9C:2D:66:
CB:96:CC:FB:7D:9A:BD:F1:61:53:B5:92:11:F3:56:53:
ED:4D:8F:DA:79:0D:4E:00:4B:1D:66:36:91:8F:98:91:
0A:58:24:4E:55:E4:24:26:D5:D6:10:67:E8:A3:22:B8:
F2:A2:2F:CE:D5:FE:FA:B8:B0:2A:F9:A1:57:99:7E:09:
D7:B2:44:80:8D:EE:3E:A9:E9:1D:3F:27:B3:78:EF:75:
7A:03:51:9D:16:04:0E:EB:36:E6:72:B8:0E:0B:6B:D1
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
C9:6E:B3:4D:4A:FB:3B:75:4D:D8:C9:0C:92:64:D4:91:
AE:DB:5E:BF
Identifier: 1.3.6.1.5.5.7.1.1
Critical: no
Value:
30:4B:30:49:06:08:2B:06:01:05:05:07:30:01:86:3D:
68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65:
73:74:30:34:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67:
2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A:
32:30:30:38:30:2F:63:61:2F:6F:63:73:70
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key Encipherment
Identifier: Extended Key Usage: - 2.5.29.37
Critical: no
Extended Key Usage:
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.4
Signature:
Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
Signature:
A1:24:5A:3D:E2:AC:0F:0B:C2:C2:06:63:4D:A8:9D:17:
E7:07:4D:C9:72:B9:AD:5F:4B:58:83:49:35:41:41:C8:
AD:4E:4D:E9:10:BE:71:8F:F0:9C:F0:A0:75:5B:85:5D:
D7:42:3C:A9:08:F5:13:23:E4:A9:97:15:BC:A8:56:F6:
C7:5C:9F:32:97:3C:0F:94:78:DA:AC:66:F6:FD:F4:EC:
C2:29:81:AC:86:7E:D9:DE:E6:F1:90:82:D0:D3:25:63:
DE:96:59:90:61:88:F9:29:65:99:4F:2D:44:18:39:D2:
41:BF:13:43:4E:84:1B:C0:38:1C:C2:AC:A6:B2:CA:26:
75:78:C3:02:52:DA:31:1A:32:8D:56:49:CE:C1:F7:00:
5E:2E:7E:FE:85:7B:17:FE:F6:BB:40:82:5A:93:C5:2A:
F0:36:42:92:5E:B9:98:A7:14:D4:8F:56:47:EA:B2:7D:
EF:99:45:65:A0:C8:30:A6:9A:6C:48:FF:C4:8E:36:A2:
36:99:46:75:F4:71:69:44:33:F9:FD:07:E6:89:EE:73:
68:C4:09:93:5F:76:81:7E:13:F5:0D:E4:C7:D1:01:46:
51:1B:6F:BA:47:3B:B7:C3:4C:C9:C2:1F:E6:17:F1:0E:
D0:33:72:35:4F:A4:3F:7A:A0:BF:F9:F1:0F:4C:CC:68
FingerPrint
MD2:
74:1B:1A:8C:0B:B1:0C:1A:5A:93:E1:F9:7F:2A:11:C7
MD5:
C4:BC:A3:98:CC:03:FA:1D:59:3F:A2:3E:00:C3:77:B5
SHA-1:
2F:B3:B9:78:47:BE:AC:7E:EB:DF:53:B5:72:43:29:92:
9C:08:79:A0
SHA-256:
2B:24:03:93:44:DD:5D:B4:88:86:98:A7:05:F3:53:7B:
2E:E3:E9:01:15:68:D2:21:B2:E7:EE:D7:29:24:F8:F8
SHA-512:
AE:4F:21:F9:1F:E1:56:03:6B:71:A1:AA:9F:70:5E:B4:
A2:FE:E2:F1:9D:6B:4B:16:B9:5B:D0:52:E6:E9:FB:A5:
5A:31:9F:2B:61:85:3E:EB:8A:C2:EE:98:AD:00:BC:14:
C6:9C:68:2B:E6:1C:17:EB:9C:9B:B5:68:48:38:27:C0
Certificate:
Data:
Version: v3
Serial Number: 0x9FB8FED
Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
Issuer: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
Validity:
Not Before: Tuesday, January 23, 2018 1:20:59 AM EST America/New_York
Not After: Saturday, January 23, 2038 1:20:59 AM EST America/New_York
Subject: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
Public Key Modulus: (2048 bits) :
A8:2E:B5:CC:CD:5A:9C:35:01:B0:E3:E2:81:F5:AB:7A:
87:CA:F3:EB:C7:D6:F0:52:C7:D3:0A:D3:BD:5D:00:29:
A8:AC:01:2F:3D:44:DD:16:B3:D9:52:B2:10:83:F9:57:
26:84:96:99:D9:84:33:EC:C3:BB:BC:60:29:C9:97:C9:
FE:92:D2:E3:C7:9B:ED:52:C9:14:E9:0A:8B:78:FB:36:
9D:86:D3:C4:14:52:7A:68:6B:E8:9C:5C:DD:3F:FE:DC:
DB:09:11:02:2C:E2:C7:CA:6D:63:19:B3:1C:1F:7E:C4:
74:E7:4D:F3:F5:2D:FD:B7:AC:C5:B9:0E:75:3B:99:97:
BE:AA:E0:A3:2E:51:6D:77:E7:E9:E9:13:97:BC:1B:8A:
7E:8A:C5:AE:61:1E:B0:FE:29:F6:2F:1F:6F:4D:A7:54:
6B:23:5C:F1:6C:AB:DB:C1:EC:99:5A:FF:67:95:24:57:
27:F1:D4:13:51:A7:6C:92:4D:4A:AE:81:20:D1:BF:57:
C6:E9:6E:8A:6B:61:95:F3:B1:42:28:15:6E:F8:63:0F:
D6:F0:8E:DC:41:74:49:D7:06:BB:10:FA:A2:2C:40:67:
A1:6F:FE:18:0A:EA:51:55:04:23:19:A8:96:BB:E7:AB:
78:06:C8:1A:E4:21:22:4F:9B:DA:38:9A:CC:61:AD:F9
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
C9:6E:B3:4D:4A:FB:3B:75:4D:D8:C9:0C:92:64:D4:91:
AE:DB:5E:BF
Identifier: Basic Constraints - 2.5.29.19
Critical: yes
Is CA: yes
Path Length Constraint: UNLIMITED
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key CertSign
Crl Sign
Identifier: Subject Key Identifier - 2.5.29.14
Critical: no
Key Identifier:
C9:6E:B3:4D:4A:FB:3B:75:4D:D8:C9:0C:92:64:D4:91:
AE:DB:5E:BF
Identifier: 1.3.6.1.5.5.7.1.1
Critical: no
Value:
30:4B:30:49:06:08:2B:06:01:05:05:07:30:01:86:3D:
68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65:
73:74:30:34:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67:
2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A:
32:30:30:38:30:2F:63:61:2F:6F:63:73:70
Signature:
Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
Signature:
9A:67:C4:F9:8E:70:8B:CA:B6:00:71:54:AC:E8:8E:CA:
C1:1A:B6:51:D6:BD:A3:3F:9F:56:0E:63:CC:59:0C:67:
DA:14:79:3F:05:74:AE:C5:D7:C5:B4:79:CC:23:56:2E:
80:B2:A1:31:B1:53:9B:C5:C7:4A:2B:2E:D4:23:A6:2F:
52:7D:82:B0:90:1E:52:4C:6D:AA:67:40:FC:C4:BC:B2:
5E:6D:FC:E1:96:76:6B:9A:61:C0:06:0B:83:A6:18:82:
D1:1F:DF:83:F8:45:22:85:4C:E7:7A:20:AB:BA:C0:16:
5C:97:A9:E1:0D:EB:CE:58:79:6E:23:7A:AE:1B:5A:A7:
33:A4:35:D6:E9:38:0A:8D:0F:F9:E8:7C:C1:E8:90:44:
8A:93:63:6E:4D:C0:AA:4D:0D:31:0C:94:B3:FC:71:00:
8F:93:19:A1:C4:84:F7:8A:0F:34:36:59:D6:BF:FE:42:
F4:71:96:9B:96:73:32:31:2B:D8:B6:BF:50:A0:A2:33:
1D:2C:CD:C4:6C:E4:8D:23:4B:12:D1:61:31:D7:FD:2C:
9C:76:2D:D2:91:2F:52:EE:7E:9B:B1:4E:F8:A2:51:82:
EE:51:A3:90:31:3A:A3:DF:A2:40:D2:BA:87:8C:35:B8:
A8:D6:EE:0B:F4:55:BB:90:C6:A6:DC:BE:D5:8A:8C:67
FingerPrint
MD2:
DD:A4:FE:DE:91:3E:C3:B5:22:AA:B8:4A:5B:E6:20:4B
MD5:
16:F5:F3:A6:06:CA:0E:81:08:B6:12:F0:9A:36:BF:18
SHA-1:
41:15:2E:83:DA:25:A2:60:73:82:8C:9D:A4:60:14:73:
0A:6C:22:DB
SHA-256:
B5:62:43:99:C1:43:DB:DB:6D:F3:B4:27:99:61:DF:82:
56:D2:5B:2E:86:48:29:F2:80:BE:49:77:BC:7E:E1:88
SHA-512:
23:3D:89:7E:C9:ED:2C:EA:20:D9:55:82:E3:CD:D7:C1:
A4:DB:1B:E8:DD:FD:6B:EA:71:48:6E:D3:96:E5:21:D2:
29:98:EF:12:42:AF:33:5B:D1:5E:A2:41:FD:41:A5:42:
C1:7D:93:A9:AF:27:F5:83:8E:9C:C7:C7:0D:F2:5C:A3
Number of controls is 1
Control #0: CMCStatusInfoV2
OID: {1 3 6 1 5 5 7 7 25}
BodyList: 1
Status: SUCCESS
Test Case 2.2: With crmf
-------------------------
Step1:
CRMFPopClient -d /root/nssdb_75/ -p SECret.123 -n "cn=Test22, uid=Testing, ou=test" -q POP_NONE -b kra.transport -w "AES/CBC/PKCS5Padding" -v -o user-signed/crmf2.req
Step2: EncryptedPOP CMC config file
-- Add identityProofV2.enable=false
-- Add popLinkWitnessV2.enable=true
-- identification.enable=true
Step3: Run CMCRequest user-signed/cmc-crmf-EncryptedPOP.cfg
Step4: Run HttpClient user-signed/HttpClient-cmc-crmf-EncryptedPOP.cfg
Verification:
-------------
1. Make sure output looks like CMCResponse looks like:
CMCResponse -d . -i user-signed/cmcResp2-round1
Number of controls is 3
Control #0: CMC encrypted POP
OID: {1 3 6 1 5 5 7 7 9}
encryptedPOP decoded
Control #1: CMCStatusInfoV2
OID: {1 3 6 1 5 5 7 7 25}
BodyList: 1
OtherInfo type: FAIL
failInfo=POP required
Control #2: CMC ResponseInfo
requestID: 53
ERROR: CMC status for [1]: pop required
2. Audit logs:
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:46 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success] access session establish success
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:46 EST] [14] [6] [AuditEvent=AUTH][SubjectID=UID=usercert,CN=usercert][Outcome=Success][AuthMgr=CMCUserSignedAuth] authentication success
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:46 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=UID=usercert,CN=usercert][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:46 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=53][ProfileID=caFullCMCUserSignedCert][CertSubject=UID=usercert,CN=usercert] certificate request made with certificate profiles
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:47 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
Step5: DecryptedPOP config file
-- Add identityProofV2.enable=false
-- Add popLinkWitnessV2.enable=true
-- identification.enable=true
Step6: Run CMCRequest.
CMCRequest user-signed/cmc-crmf-DecryptedPOP.cfg
Step7: Run HttpClient user-signed/HttpClient-crmf-DecryptedPOP.cfg
Verification:
-------------
CMCResponse -d . -i user-signed/cmcResp2-round2
Certificates:
Certificate:
Data:
Version: v3
Serial Number: 0xC30F503
Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
Issuer: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
Validity:
Not Before: Tuesday, January 30, 2018 1:03:46 PM EST America/New_York
Not After: Sunday, July 29, 2018 1:03:46 PM EDT America/New_York
......
Certificate:
Data:
Version: v3
Serial Number: 0x9FB8FED
Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
Issuer: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
Validity:
Not Before: Tuesday, January 23, 2018 1:20:59 AM EST America/New_York
Not After: Saturday, January 23, 2038 1:20:59 AM EST America/New_York
Subject: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
Number of controls is 1
Control #0: CMCStatusInfoV2
OID: {1 3 6 1 5 5 7 7 25}
BodyList: 1
Status: SUCCESS
2. Make sure certificate 0xC30F503 is created.
3. Make sure 0xC30F503 is archived in kra.
4. Audit logs:
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:11 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success] access session establish success
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:11 EST] [14] [6] [AuditEvent=AUTH][SubjectID=UID=usercert,CN=usercert][Outcome=Success][AuthMgr=CMCUserSignedAuth] authentication success
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:11 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=UID=usercert,CN=usercert][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:18 EST] [14] [6] [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ArchivalRequestID=53][RequestId=53][ClientKeyID=<null>] security data archival request made
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:18 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=53][CertSerialNum=204535043] certificate request processed
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:18 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
1. there is no encryptedPOP/decryptedPOP for pkcs#10. It's always signed with the request key so it by itself is always a POP. So this case is not a legit case. There are a few things look weird in your test.
a. PKCS10Client -d /root/nssdb_75 -p SECret.123 -n "cn=userpkcs10, uid=Testing, ou=test" -o user-signed/crmf2.req
- you send the pkcs10 request to a file named "crmf2.req" (does that not confuse you?
b. it's unclear from your description where the HttpClient wrote to. But you checked CMCResponse -d . -i user-signed/cmcResp2-round1
Anyways, it's not a valid case to begin with.
2. popLinkWitness does not apply to crmf requests that do not have POP (remember: no POP, no POP link). I thought I explained that in my comments to your test plan. It's possibly that it was lost when I didn't save the first draft and had to wrote the 2nd time.
I was going through https://bugzilla.redhat.com/show_bug.cgi?id=1447145#c10 and trying to do test for "cmc.popLinkWitnessRequired=true logic so that encryptedPOP is allowed" & This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism. (In reply to Christina Fu from comment #16) > 1. there is no encryptedPOP/decryptedPOP for pkcs#10. It's always signed > with the request key so it by itself is always a POP. So this case is not a > legit case. There are a few things look weird in your test. > a. PKCS10Client -d /root/nssdb_75 -p SECret.123 -n "cn=userpkcs10, > uid=Testing, ou=test" -o user-signed/crmf2.req > - you send the pkcs10 request to a file named "crmf2.req" (does that > not confuse you? -- I used the same cmcrequest file i just make changes to request type and used the same file for pkcs10 that's why you are seeing same file name. > b. it's unclear from your description where the HttpClient wrote to. But > you checked CMCResponse -d . -i user-signed/cmcResp2-round1 > Anyways, it's not a valid case to begin with. > > 2. popLinkWitness does not apply to crmf requests that do not have POP > (remember: no POP, no POP link). I thought I explained that in my comments > to your test plan. It's possibly that it was lost when I didn't save the > first draft and had to wrote the 2nd time. -- If i have to test above mentioned scenario, https://bugzilla.redhat.com/show_bug.cgi?id=1447145#c10 and https://bugzilla.redhat.com/show_bug.cgi?id=1447145#c13 , what can be the best way to test that. To test this bug: Case 1: make sure request without POP still works * enable mc.popLinkWitnessRequired=true * execure this: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User-signed_CMC_request_Without_POP_.28Encrypted_POP_.2F_Decrypted_POP.29 Case 2: make sure requests with POP and popLinkWitnessV2 works: sub case a: pkcs#10 with popLinkWitnessV2 sub case b: crmf with popLinnkWitnessV2 Case 3: make sure requests with POP but without popLinkWitnessV2 fails: sub case a: pkcs#10 without popLinnkWitnessV2 sub case b: crmf (with pop) without popLinnkWitnessV2 case 1(In reply to Christina Fu from comment #18) > To test this bug: > > Case 1: make sure request without POP still works > > * enable mc.popLinkWitnessRequired=true > * execure this: > http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User- > signed_CMC_request_Without_POP_.28Encrypted_POP_.2F_Decrypted_POP.29 > -- This is take care in https://bugzilla.redhat.com/show_bug.cgi?id=1447145#c15 Test Case 2.2: With crmf. > > Case 2: make sure requests with POP and popLinkWitnessV2 works: > > sub case a: pkcs#10 with popLinkWitnessV2 > sub case b: crmf with popLinnkWitnessV2 -- Do you mean http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User-signed_CMC_requests_Example_.28with_PopLinkWitnessV2.29???? > > Case 3: make sure requests with POP but without popLinkWitnessV2 fails: > > sub case a: pkcs#10 without popLinnkWitnessV2 > sub case b: crmf (with pop) without popLinnkWitnessV2 -- Yes it fails because cmc.popLinkWitnessRequired=true but popLinnkWitnessV2.enable=false. yes All the above scenario's are tested.Marking this bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925 |