1447145 – CMC: cmc.popLinkWitnessRequired=false would cause error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error

Summary: CMC: cmc.popLinkWitnessRequired=false would cause error

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Christina Fu
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1472617
TreeView+	depends on / blocked

Reported:	2017-05-01 23:52 UTC by Christina Fu
Modified:	2020-10-04 21:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pki-core-10.5.1-6.el7
Doc Type:	No Doc Update
Doc Text:	Certificate System now handles requests without POP correctly Previously, Certificate System failed to execute encrypted Proof-of-Possession (POP) operations, even if the "cmc.popLinkWitnessRequired" parameter in the `/var/lib/pki/<instance_name>/ca/conf/CS.cfg` file was set to "true". This patch adds support for Certificate Management over CMS (CMC) requests without POP. As a result, requests without POP will now be handled correctly.
Clone Of:
Clones:	1472617 (view as bug list)
Environment:
Last Closed:	2018-04-10 16:58:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2795	0	None	closed	CMC: cmc.popLinkWitnessRequired=false would cause error	2020-12-30 16:18:22 UTC
Red Hat Product Errata	RHBA-2018:0925	0	None	None	None	2018-04-10 16:59:35 UTC

Description Christina Fu 2017-05-01 23:52:29 UTC

There appears to be a bug in parseCMC() where if cmc.popLinkWitnessRequired=false in CS.cfg (that happens to be default), error would occur.

Workaround is to set cmc.popLinkWitnessRequired=true until fix is available.

Comment 2 Christina Fu 2017-05-02 18:50:36 UTC

commit c95cff5899e2975b16db61b811b626742e5e7114
Author: Christina Fu <cfu>
Date:   Mon May 1 17:48:33 2017 -0700

    Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error
    This patch would fix the issue.  It also adds the CMCUserSignedAuth
    authentication instance that was missed in the CS.cfg

Comment 4 Geetika Kapoor 2017-06-27 19:36:06 UTC

Test build:

rpm -qa pki-ca
pki-ca-10.4.1-10.el7.noarch

Test steps:

1. Verified CS.cfg and check default value of cmc.popLinkWitnessRequired=false.
2. Executed Self-Signed CMC Request Example (with IdentityProofV2) and User-signed CMC requests Example (with PopLinkWitnessV2) and it worked as expected.

Do you think I can try some other use case also for this testing?

Comment 8 Matthew Harmsen 2017-07-19 17:22:21 UTC

(In reply to Geetika Kapoor from comment #4)
> Test build:
> 
> rpm -qa pki-ca
> pki-ca-10.4.1-10.el7.noarch
> 
> Test steps:
> 
> 1. Verified CS.cfg and check default value of
> cmc.popLinkWitnessRequired=false.
> 2. Executed Self-Signed CMC Request Example (with IdentityProofV2) and
> User-signed CMC requests Example (with PopLinkWitnessV2) and it worked as
> expected.
> 
> Do you think I can try some other use case also for this testing?

This question has been moved to the RHEL 7.4.z bug -- https://bugzilla.redhat.com/show_bug.cgi?id=1472617

Comment 10 Christina Fu 2018-01-12 19:33:16 UTC

Need to reopen this bug.

While the cmc.popLinkWitnessRequired param in CS.cfg is working as expected, when it is true, it is impossible to do encryptedPOP because there is no POP to start with and would therefore be rejected.  Changing this value and restarting the server is not a reasonable option for most deployment sites.

We should add a caveat to the cmc.popLinkWitnessRequired logic so that encryptedPOP is allowed.

Comment 11 Christina Fu 2018-01-17 22:48:53 UTC

https://pagure.io/dogtagpki/issue/2675#comment-489456

Comment 12 Christina Fu 2018-01-19 22:36:47 UTC

previous fix did not put PKCS#10 into account. Need to address that.

Comment 13 Christina Fu 2018-01-20 00:45:24 UTC

commit d69c11d56d0e1f4368ab21715c2c5496fb08f969 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date:   Fri Jan 19 14:45:17 2018 -0800

    Ticket #2675 take care of PKCS#10 for cmc.popLinkWitnessRequired
    
    This patch adds support to handle PKCS#10 which was neglected in previous
    "additional" fix.
    
    Fixes: https://pagure.io/dogtagpki/issue/2675
    Change-Id: Ifc824d64c83f979ffd610658a6e7114598ce8055
    (cherry picked from commit 91c6c781e5e2c26b77619e6f4c08dc5d77bb5adf)

commit bb10545e728f0ff86ea4b3899d2de42b2398acfa
Author: Christina Fu <cfu>
Date:   Tue Jan 16 18:15:21 2018 -0800

    Ticket #2675 additional fix to allow requests without POP
    
    This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism.
    
    Fixes: https://pagure.io/dogtagpki/issue/2675
    Change-Id: Id4aab1a85dcaeaa65e625873e617af86b44a271b
    (cherry picked from commit c52c51c6516cd39caec52441d0756b1756050ae3)

Comment 15 Geetika Kapoor 2018-01-30 18:44:50 UTC

I am trying it with cmc.popLinkWitnessRequired=true with pkcs10 and crmf.
with crmf it is 2 step but with pkcs10 i see after first step it throws success.Not sure what went wrong.Could you please look into this.

Thanks

Test bits:
=========
rpm -qa pki-*
pki-tools-10.5.1-6.el7.x86_64
pki-ocsp-10.5.1-6.el7pki.noarch
pki-javadoc-10.5.1-5.1.el7.noarch
pki-base-10.5.1-6.el7.noarch
pki-symkey-10.5.1-6.el7.x86_64
pki-server-10.5.1-6.el7.noarch
pki-kra-10.5.1-6.el7.noarch
pki-tks-10.5.1-6.el7pki.noarch
pki-console-10.4.1-7.el7pki.noarch
pki-core-debuginfo-10.5.1-5.1.el7pki.x86_64
pki-base-java-10.5.1-6.el7.noarch
pki-ca-10.5.1-6.el7.noarch
pki-tps-10.5.1-6.el7pki.x86_64


Test Case 2: Set cmc.popLinkWitnessRequired=true with User-signed CMC request Without POP (Encrypted POP / Decrypted POP)
==========================================================================================================================

Test Case 2.1: With PKCS10
---------------------------
Step1 : Set below in both EncryptedPOP and DecryptedPOP cmc file.


-- Add identityProofV2.enable=false
-- Add popLinkWitnessV2.enable=true
-- identification.enable=true

Step2:

 PKCS10Client -d /root/nssdb_75 -p SECret.123 -n "cn=userpkcs10, uid=Testing, ou=test" -o user-signed/crmf2.req
PKCS10Client: Debug: got token.
PKCS10Client: Debug: thread token set.
PKCS10Client: token Internal Key Storage Token logged in...
PKCS10Client: key pair generated.
PKCS10Client: CertificationRequest created.
PKCS10Client: b64encode completes.
Keypair private key id: 10bb5031e9396daf2880875825ce291709dcf08f

-----BEGIN CERTIFICATE REQUEST-----
MIICgjCCAWoCAQAwPTENMAsGA1UECwwEdGVzdDEXMBUGCgmSJomT8ixkAQEMB1Rl
c3RpbmcxEzARBgNVBAMMCnVzZXJwa2NzMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCvkLT/bC3N0NqDmSfs7P8tJXsHUFSMvTUTpEJmFH8aK8TQEEZQ
wLta/zohX8layOJPfD9wgmDkPUbmNSR/Y9oguawLwfIP5EakfhU+Pc+B7lGXoaN0
yhOXwsDnDInqFV4d4n8NLS1wpvLHQhOd7OiclJTVM5niV50DniK/TvmaWX7I7mjb
hDMaCHCunAiRxIWMHc2sTi30NCXWOuG9nC1my5bM+32avfFhU7WSEfNWU+1Nj9p5
DU4ASx1mNpGPmJEKWCROVeQkJtXWEGfooyK48qIvztX++riwKvmhV5l+CdeyRICN
7j6p6R0/J7N473V6A1GdFgQO6zbmcrgOC2vRAgMBAAGgADANBgkqhkiG9w0BAQsF
AAOCAQEAGNtkofNEJyYw0rsq1girYme4F5pEYa499+jeuudRUl0qPBYkYVmOQUm3
8+Qyce30OxmxfhWHJOQvS4zk4wXmjRYQl3ULL0bLMEmYutOvZC/zI24L1Wz7odlh
8Kf1kBzpLTQjBlmQLoJVjbqXxExcqe2qMYQqriBnC9u1dHHyoS3CCD4YnGKdUUC5
YYbsbjp4suUKs/Y+jhvf8VCpNtPZan/Wu4gltmAscOLGmWKJV447WykS74B6D+IZ
1kgyd+qC1m1OKPalCTgJC0cWhbgdARcFVG3EEBlAP75JOMe3u/V2664Lg31/KeYI
Oms/WsHdvDi0XEAvnOKkgnjs6V8D+w==
-----END CERTIFICATE REQUEST-----
PKCS10Client: done. Request written to file: user-signed/crmf2.req

2. Run CMCRequest and HttpClient

Audit logs:

0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=UID=usercert,CN=usercert][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=EnrollProfile: parseCMC: : ident_s=user2@#$%] Identification Proof of Possession linking witness verification
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=PROOF_OF_POSSESSION][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=method=EnrollProfile: fillTaggedRequest: ] proof of possession
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=55][ProfileID=caFullCMCUserSignedCert][CertSubject=UID=usercert,CN=usercert] certificate request made with certificate profiles
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=55][CertSerialNum=107180564] certificate request processed
0.http-bio-20443-exec-17 - [30/Jan/2018:13:36:31 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated


[root@csqa4-guest04 75]# CMCResponse -d . -i user-signed/cmcResp2-round1
Certificates:
    Certificate:
        Data:
            Version:  v3
            Serial Number: 0x6637214
            Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
            Issuer: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
            Validity:
                Not Before: Tuesday, January 30, 2018 1:36:31 PM EST America/New_York
                Not  After: Sunday, July 29, 2018 1:36:31 PM EDT America/New_York
            Subject: UID=usercert,CN=usercert
            Subject Public Key Info:
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key:
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        AF:90:B4:FF:6C:2D:CD:D0:DA:83:99:27:EC:EC:FF:2D:
                        25:7B:07:50:54:8C:BD:35:13:A4:42:66:14:7F:1A:2B:
                        C4:D0:10:46:50:C0:BB:5A:FF:3A:21:5F:C9:5A:C8:E2:
                        4F:7C:3F:70:82:60:E4:3D:46:E6:35:24:7F:63:DA:20:
                        B9:AC:0B:C1:F2:0F:E4:46:A4:7E:15:3E:3D:CF:81:EE:
                        51:97:A1:A3:74:CA:13:97:C2:C0:E7:0C:89:EA:15:5E:
                        1D:E2:7F:0D:2D:2D:70:A6:F2:C7:42:13:9D:EC:E8:9C:
                        94:94:D5:33:99:E2:57:9D:03:9E:22:BF:4E:F9:9A:59:
                        7E:C8:EE:68:DB:84:33:1A:08:70:AE:9C:08:91:C4:85:
                        8C:1D:CD:AC:4E:2D:F4:34:25:D6:3A:E1:BD:9C:2D:66:
                        CB:96:CC:FB:7D:9A:BD:F1:61:53:B5:92:11:F3:56:53:
                        ED:4D:8F:DA:79:0D:4E:00:4B:1D:66:36:91:8F:98:91:
                        0A:58:24:4E:55:E4:24:26:D5:D6:10:67:E8:A3:22:B8:
                        F2:A2:2F:CE:D5:FE:FA:B8:B0:2A:F9:A1:57:99:7E:09:
                        D7:B2:44:80:8D:EE:3E:A9:E9:1D:3F:27:B3:78:EF:75:
                        7A:03:51:9D:16:04:0E:EB:36:E6:72:B8:0E:0B:6B:D1
            Extensions:
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no
                    Key Identifier:
                        C9:6E:B3:4D:4A:FB:3B:75:4D:D8:C9:0C:92:64:D4:91:
                        AE:DB:5E:BF
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no
                    Value:
                        30:4B:30:49:06:08:2B:06:01:05:05:07:30:01:86:3D:
                        68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65:
                        73:74:30:34:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67:
                        2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A:
                        32:30:30:38:30:2F:63:61:2F:6F:63:73:70
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes
                    Key Usage:
                        Digital Signature
                        Non Repudiation
                        Key Encipherment
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no
                    Extended Key Usage:
                        1.3.6.1.5.5.7.3.2
                        1.3.6.1.5.5.7.3.4
        Signature:
            Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
            Signature:
                A1:24:5A:3D:E2:AC:0F:0B:C2:C2:06:63:4D:A8:9D:17:
                E7:07:4D:C9:72:B9:AD:5F:4B:58:83:49:35:41:41:C8:
                AD:4E:4D:E9:10:BE:71:8F:F0:9C:F0:A0:75:5B:85:5D:
                D7:42:3C:A9:08:F5:13:23:E4:A9:97:15:BC:A8:56:F6:
                C7:5C:9F:32:97:3C:0F:94:78:DA:AC:66:F6:FD:F4:EC:
                C2:29:81:AC:86:7E:D9:DE:E6:F1:90:82:D0:D3:25:63:
                DE:96:59:90:61:88:F9:29:65:99:4F:2D:44:18:39:D2:
                41:BF:13:43:4E:84:1B:C0:38:1C:C2:AC:A6:B2:CA:26:
                75:78:C3:02:52:DA:31:1A:32:8D:56:49:CE:C1:F7:00:
                5E:2E:7E:FE:85:7B:17:FE:F6:BB:40:82:5A:93:C5:2A:
                F0:36:42:92:5E:B9:98:A7:14:D4:8F:56:47:EA:B2:7D:
                EF:99:45:65:A0:C8:30:A6:9A:6C:48:FF:C4:8E:36:A2:
                36:99:46:75:F4:71:69:44:33:F9:FD:07:E6:89:EE:73:
                68:C4:09:93:5F:76:81:7E:13:F5:0D:E4:C7:D1:01:46:
                51:1B:6F:BA:47:3B:B7:C3:4C:C9:C2:1F:E6:17:F1:0E:
                D0:33:72:35:4F:A4:3F:7A:A0:BF:F9:F1:0F:4C:CC:68
        FingerPrint
            MD2:
                74:1B:1A:8C:0B:B1:0C:1A:5A:93:E1:F9:7F:2A:11:C7
            MD5:
                C4:BC:A3:98:CC:03:FA:1D:59:3F:A2:3E:00:C3:77:B5
            SHA-1:
                2F:B3:B9:78:47:BE:AC:7E:EB:DF:53:B5:72:43:29:92:
                9C:08:79:A0
            SHA-256:
                2B:24:03:93:44:DD:5D:B4:88:86:98:A7:05:F3:53:7B:
                2E:E3:E9:01:15:68:D2:21:B2:E7:EE:D7:29:24:F8:F8
            SHA-512:
                AE:4F:21:F9:1F:E1:56:03:6B:71:A1:AA:9F:70:5E:B4:
                A2:FE:E2:F1:9D:6B:4B:16:B9:5B:D0:52:E6:E9:FB:A5:
                5A:31:9F:2B:61:85:3E:EB:8A:C2:EE:98:AD:00:BC:14:
                C6:9C:68:2B:E6:1C:17:EB:9C:9B:B5:68:48:38:27:C0
    Certificate:
        Data:
            Version:  v3
            Serial Number: 0x9FB8FED
            Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
            Issuer: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
            Validity:
                Not Before: Tuesday, January 23, 2018 1:20:59 AM EST America/New_York
                Not  After: Saturday, January 23, 2038 1:20:59 AM EST America/New_York
            Subject: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
            Subject Public Key Info:
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key:
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        A8:2E:B5:CC:CD:5A:9C:35:01:B0:E3:E2:81:F5:AB:7A:
                        87:CA:F3:EB:C7:D6:F0:52:C7:D3:0A:D3:BD:5D:00:29:
                        A8:AC:01:2F:3D:44:DD:16:B3:D9:52:B2:10:83:F9:57:
                        26:84:96:99:D9:84:33:EC:C3:BB:BC:60:29:C9:97:C9:
                        FE:92:D2:E3:C7:9B:ED:52:C9:14:E9:0A:8B:78:FB:36:
                        9D:86:D3:C4:14:52:7A:68:6B:E8:9C:5C:DD:3F:FE:DC:
                        DB:09:11:02:2C:E2:C7:CA:6D:63:19:B3:1C:1F:7E:C4:
                        74:E7:4D:F3:F5:2D:FD:B7:AC:C5:B9:0E:75:3B:99:97:
                        BE:AA:E0:A3:2E:51:6D:77:E7:E9:E9:13:97:BC:1B:8A:
                        7E:8A:C5:AE:61:1E:B0:FE:29:F6:2F:1F:6F:4D:A7:54:
                        6B:23:5C:F1:6C:AB:DB:C1:EC:99:5A:FF:67:95:24:57:
                        27:F1:D4:13:51:A7:6C:92:4D:4A:AE:81:20:D1:BF:57:
                        C6:E9:6E:8A:6B:61:95:F3:B1:42:28:15:6E:F8:63:0F:
                        D6:F0:8E:DC:41:74:49:D7:06:BB:10:FA:A2:2C:40:67:
                        A1:6F:FE:18:0A:EA:51:55:04:23:19:A8:96:BB:E7:AB:
                        78:06:C8:1A:E4:21:22:4F:9B:DA:38:9A:CC:61:AD:F9
            Extensions:
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no
                    Key Identifier:
                        C9:6E:B3:4D:4A:FB:3B:75:4D:D8:C9:0C:92:64:D4:91:
                        AE:DB:5E:BF
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes
                    Is CA: yes
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes
                    Key Usage:
                        Digital Signature
                        Non Repudiation
                        Key CertSign
                        Crl Sign
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no
                    Key Identifier:
                        C9:6E:B3:4D:4A:FB:3B:75:4D:D8:C9:0C:92:64:D4:91:
                        AE:DB:5E:BF
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no
                    Value:
                        30:4B:30:49:06:08:2B:06:01:05:05:07:30:01:86:3D:
                        68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65:
                        73:74:30:34:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67:
                        2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A:
                        32:30:30:38:30:2F:63:61:2F:6F:63:73:70
        Signature:
            Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
            Signature:
                9A:67:C4:F9:8E:70:8B:CA:B6:00:71:54:AC:E8:8E:CA:
                C1:1A:B6:51:D6:BD:A3:3F:9F:56:0E:63:CC:59:0C:67:
                DA:14:79:3F:05:74:AE:C5:D7:C5:B4:79:CC:23:56:2E:
                80:B2:A1:31:B1:53:9B:C5:C7:4A:2B:2E:D4:23:A6:2F:
                52:7D:82:B0:90:1E:52:4C:6D:AA:67:40:FC:C4:BC:B2:
                5E:6D:FC:E1:96:76:6B:9A:61:C0:06:0B:83:A6:18:82:
                D1:1F:DF:83:F8:45:22:85:4C:E7:7A:20:AB:BA:C0:16:
                5C:97:A9:E1:0D:EB:CE:58:79:6E:23:7A:AE:1B:5A:A7:
                33:A4:35:D6:E9:38:0A:8D:0F:F9:E8:7C:C1:E8:90:44:
                8A:93:63:6E:4D:C0:AA:4D:0D:31:0C:94:B3:FC:71:00:
                8F:93:19:A1:C4:84:F7:8A:0F:34:36:59:D6:BF:FE:42:
                F4:71:96:9B:96:73:32:31:2B:D8:B6:BF:50:A0:A2:33:
                1D:2C:CD:C4:6C:E4:8D:23:4B:12:D1:61:31:D7:FD:2C:
                9C:76:2D:D2:91:2F:52:EE:7E:9B:B1:4E:F8:A2:51:82:
                EE:51:A3:90:31:3A:A3:DF:A2:40:D2:BA:87:8C:35:B8:
                A8:D6:EE:0B:F4:55:BB:90:C6:A6:DC:BE:D5:8A:8C:67
        FingerPrint
            MD2:
                DD:A4:FE:DE:91:3E:C3:B5:22:AA:B8:4A:5B:E6:20:4B
            MD5:
                16:F5:F3:A6:06:CA:0E:81:08:B6:12:F0:9A:36:BF:18
            SHA-1:
                41:15:2E:83:DA:25:A2:60:73:82:8C:9D:A4:60:14:73:
                0A:6C:22:DB
            SHA-256:
                B5:62:43:99:C1:43:DB:DB:6D:F3:B4:27:99:61:DF:82:
                56:D2:5B:2E:86:48:29:F2:80:BE:49:77:BC:7E:E1:88
            SHA-512:
                23:3D:89:7E:C9:ED:2C:EA:20:D9:55:82:E3:CD:D7:C1:
                A4:DB:1B:E8:DD:FD:6B:EA:71:48:6E:D3:96:E5:21:D2:
                29:98:EF:12:42:AF:33:5B:D1:5E:A2:41:FD:41:A5:42:
                C1:7D:93:A9:AF:27:F5:83:8E:9C:C7:C7:0D:F2:5C:A3


Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1
   Status: SUCCESS


Test Case 2.2: With crmf
-------------------------

Step1: 

CRMFPopClient -d /root/nssdb_75/ -p SECret.123 -n "cn=Test22, uid=Testing, ou=test" -q POP_NONE -b kra.transport -w "AES/CBC/PKCS5Padding" -v -o user-signed/crmf2.req

Step2: EncryptedPOP CMC config file

-- Add identityProofV2.enable=false
-- Add popLinkWitnessV2.enable=true
-- identification.enable=true

Step3: Run CMCRequest  user-signed/cmc-crmf-EncryptedPOP.cfg

Step4: Run  HttpClient user-signed/HttpClient-cmc-crmf-EncryptedPOP.cfg

Verification:
-------------

1. Make sure output looks like CMCResponse looks like:

CMCResponse -d . -i user-signed/cmcResp2-round1

Number of controls is 3
Control #0: CMC encrypted POP
   OID: {1 3 6 1 5 5 7 7 9}
     encryptedPOP decoded
Control #1: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   OtherInfo type: FAIL
     failInfo=POP required
Control #2: CMC ResponseInfo
   requestID: 53
ERROR: CMC status for [1]: pop required

2. Audit logs:


0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:46 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success] access session establish success
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:46 EST] [14] [6] [AuditEvent=AUTH][SubjectID=UID=usercert,CN=usercert][Outcome=Success][AuthMgr=CMCUserSignedAuth] authentication success
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:46 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=UID=usercert,CN=usercert][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:46 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=53][ProfileID=caFullCMCUserSignedCert][CertSubject=UID=usercert,CN=usercert] certificate request made with certificate profiles
0.http-bio-20443-exec-1 - [30/Jan/2018:13:03:47 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated



Step5: DecryptedPOP config file

-- Add identityProofV2.enable=false
-- Add popLinkWitnessV2.enable=true
-- identification.enable=true

Step6: Run CMCRequest.

CMCRequest user-signed/cmc-crmf-DecryptedPOP.cfg

Step7: Run HttpClient user-signed/HttpClient-crmf-DecryptedPOP.cfg

Verification:
-------------

CMCResponse -d . -i user-signed/cmcResp2-round2

Certificates: 
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0xC30F503
            Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
            Issuer: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
            Validity: 
                Not Before: Tuesday, January 30, 2018 1:03:46 PM EST America/New_York
                Not  After: Sunday, July 29, 2018 1:03:46 PM EDT America/New_York
......


    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x9FB8FED
            Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13
            Issuer: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA
            Validity: 
                Not Before: Tuesday, January 23, 2018 1:20:59 AM EST America/New_York
                Not  After: Saturday, January 23, 2038 1:20:59 AM EST America/New_York
            Subject: CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA

Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   Status: SUCCESS

2. Make sure certificate 0xC30F503 is created.
3. Make sure 0xC30F503 is archived in kra.
4. Audit logs:


0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:11 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success] access session establish success
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:11 EST] [14] [6] [AuditEvent=AUTH][SubjectID=UID=usercert,CN=usercert][Outcome=Success][AuthMgr=CMCUserSignedAuth] authentication success
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:11 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=UID=usercert,CN=usercert][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:18 EST] [14] [6] [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ArchivalRequestID=53][RequestId=53][ClientKeyID=<null>] security data archival request made
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:18 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=53][CertSerialNum=204535043] certificate request processed
0.http-bio-20443-exec-2 - [30/Jan/2018:13:06:18 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

Comment 16 Christina Fu 2018-02-01 03:41:22 UTC

1. there is no encryptedPOP/decryptedPOP for pkcs#10. It's always signed with the request key so it by itself is always a POP.  So this case is not a legit case.  There are a few things look weird in your test.
  a.  PKCS10Client -d /root/nssdb_75 -p SECret.123 -n "cn=userpkcs10, uid=Testing, ou=test" -o user-signed/crmf2.req
       - you send the pkcs10 request to a file named "crmf2.req" (does that not confuse you?
  b. it's unclear from your description where the HttpClient wrote to.  But you checked CMCResponse -d . -i user-signed/cmcResp2-round1
Anyways, it's not a valid case to begin with.

2. popLinkWitness does not apply to crmf requests that do not have POP (remember: no POP, no POP link).  I thought I explained that in my comments to your test plan.  It's possibly that it was lost when I didn't save the first draft and had to wrote the 2nd time.

Comment 17 Geetika Kapoor 2018-02-01 04:25:52 UTC

I was going through https://bugzilla.redhat.com/show_bug.cgi?id=1447145#c10 and trying to do test for "cmc.popLinkWitnessRequired=true logic so that encryptedPOP is allowed" &
This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism.

(In reply to Christina Fu from comment #16)
> 1. there is no encryptedPOP/decryptedPOP for pkcs#10. It's always signed
> with the request key so it by itself is always a POP.  So this case is not a
> legit case.  There are a few things look weird in your test.
>   a.  PKCS10Client -d /root/nssdb_75 -p SECret.123 -n "cn=userpkcs10,
> uid=Testing, ou=test" -o user-signed/crmf2.req
>        - you send the pkcs10 request to a file named "crmf2.req" (does that
> not confuse you?
-- I used the same cmcrequest file i just make changes to request type and used the same file for pkcs10 that's why you are seeing same file name.
>   b. it's unclear from your description where the HttpClient wrote to.  But
> you checked CMCResponse -d . -i user-signed/cmcResp2-round1
> Anyways, it's not a valid case to begin with.
> 
> 2. popLinkWitness does not apply to crmf requests that do not have POP
> (remember: no POP, no POP link).  I thought I explained that in my comments
> to your test plan.  It's possibly that it was lost when I didn't save the
> first draft and had to wrote the 2nd time.
-- If i have to test above mentioned scenario, https://bugzilla.redhat.com/show_bug.cgi?id=1447145#c10 and https://bugzilla.redhat.com/show_bug.cgi?id=1447145#c13 , what can be the best way to test that.

Comment 18 Christina Fu 2018-02-01 19:42:47 UTC

To test this bug:

Case 1: make sure request without POP still works

* enable mc.popLinkWitnessRequired=true
* execure this: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User-signed_CMC_request_Without_POP_.28Encrypted_POP_.2F_Decrypted_POP.29


Case 2: make sure requests with POP and popLinkWitnessV2 works:

sub case a: pkcs#10 with popLinkWitnessV2
sub case b: crmf with popLinnkWitnessV2

Case 3: make sure requests with POP but without popLinkWitnessV2 fails:

sub case a: pkcs#10 without popLinnkWitnessV2
sub case b: crmf (with pop) without popLinnkWitnessV2

Comment 19 Geetika Kapoor 2018-02-12 11:47:43 UTC

case 1(In reply to Christina Fu from comment #18)
> To test this bug:
> 
> Case 1: make sure request without POP still works
> 
> * enable mc.popLinkWitnessRequired=true
> * execure this:
> http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User-
> signed_CMC_request_Without_POP_.28Encrypted_POP_.2F_Decrypted_POP.29
> 
-- This is take care in https://bugzilla.redhat.com/show_bug.cgi?id=1447145#c15
Test Case 2.2: With crmf.
> 
> Case 2: make sure requests with POP and popLinkWitnessV2 works:
> 
> sub case a: pkcs#10 with popLinkWitnessV2
> sub case b: crmf with popLinnkWitnessV2

-- Do you mean http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User-signed_CMC_requests_Example_.28with_PopLinkWitnessV2.29????
> 
> Case 3: make sure requests with POP but without popLinkWitnessV2 fails:
> 
> sub case a: pkcs#10 without popLinnkWitnessV2
> sub case b: crmf (with pop) without popLinnkWitnessV2

-- Yes it fails because cmc.popLinkWitnessRequired=true but popLinnkWitnessV2.enable=false.

Comment 20 Christina Fu 2018-02-14 17:50:51 UTC

yes

Comment 21 Geetika Kapoor 2018-02-15 07:43:03 UTC

All the above scenario's are tested.Marking this bug verified.

Comment 27 errata-xmlrpc 2018-04-10 16:58:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925

Note You need to log in before you can comment on or make changes to this bug.