Bug 1460764 - CC: CMC: check HTTPS client authentication cert against CMC signer
CC: CMC: check HTTPS client authentication cert against CMC signer
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Christina Fu
Asha Akkiangady
Marc Muehlfeld
: ZStream
Depends On:
Blocks: 1469447
  Show dependency treegraph
 
Reported: 2017-06-12 12:22 EDT by Christina Fu
Modified: 2018-04-10 12:59 EDT (History)
6 users (show)

See Also:
Fixed In Version: pki-core-10.4.1-10.el7
Doc Type: No Doc Update
Doc Text:
https://bugzilla.redhat.com/show_bug.cgi?id=1518180#c7
Story Points: ---
Clone Of:
: 1469447 (view as bug list)
Environment:
Last Closed: 2018-04-10 12:58:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0925 None None None 2018-04-10 12:59 EDT

  None (edit)
Description Christina Fu 2017-06-12 12:22:04 EDT
There is a requirement in the CA PP 2.0 FIA_CMC_EXT.1.4
Where it basically states that in case of a user-signed CMC requests, they must be through HTTPS and the SSL client auth cert must match that of the CMC signing cert.
Comment 2 Christina Fu 2017-06-15 15:05:13 EDT
pushed to dogtag master

commit 63c9582009b3858a6878863b9658d04c9aad45c1
Author: Christina Fu <cfu@redhat.com>
Date:   Wed Jun 14 14:57:10 2017 -0700
Comment 3 Matthew Harmsen 2017-06-15 16:36:56 EDT
Libor,

Since we will be building snapshot-5 to address https://bugzilla.redhat.com/show_bug.cgi?id=1461533, we would appreciate if you would also provide a blocker flag for this bug since it blocks QE from testing CMC.

-- Matt
Comment 4 Matthew Harmsen 2017-06-19 18:44:43 EDT
commit 32cf3850935590f7f4cd457b824cc296b6af44b9
Author: Christina Fu <cfu@redhat.com>
Date:   Wed Jun 14 14:57:10 2017 -0700

    Ticket#2737 CMC: check HTTPS client authentication cert against CMC signer
    
    This patch adds enforcement in CMCUserSignedAuth to make sure SSL client aut
    Some auditing adjustments are also done.
    
    (cherry picked from commit 63c9582009b3858a6878863b9658d04c9aad45c1)
Comment 12 Geetika Kapoor 2018-01-31 23:47:32 EST
Test bits:
==========

rpm -qa nss* pki-* jss*
nss-softokn-devel-3.34.0-2.el7.x86_64
nss-softokn-3.34.0-2.el7.x86_64
pki-tools-10.5.1-6.el7.x86_64
pki-ocsp-10.5.1-6.el7pki.noarch
pki-javadoc-10.5.1-5.1.el7.noarch
nss-3.34.0-4.el7.x86_64
nss-pem-1.0.3-4.el7.x86_64
nss-sysinit-3.34.0-4.el7.x86_64
nss-util-devel-3.34.0-2.el7.x86_64
nss-softokn-freebl-devel-3.34.0-2.el7.x86_64
nss-devel-3.34.0-4.el7.x86_64
pki-base-10.5.1-6.el7.noarch
pki-symkey-10.5.1-6.el7.x86_64
pki-server-10.5.1-6.el7.noarch
pki-kra-10.5.1-6.el7.noarch
pki-tks-10.5.1-6.el7pki.noarch
pki-console-10.4.1-7.el7pki.noarch
pki-core-debuginfo-10.5.1-5.1.el7pki.x86_64
nss-softokn-freebl-3.34.0-2.el7.x86_64
nss-util-3.34.0-2.el7.x86_64
jss-4.4.0-11.el7.x86_64
pki-base-java-10.5.1-6.el7.noarch
pki-ca-10.5.1-6.el7.noarch
pki-tps-10.5.1-6.el7pki.x86_64
nss-tools-3.34.0-4.el7.x86_64


Test Cases:
==========

1.With no password mentioned in httpclient config.


HttpClient user-signed/HttpClient-cmc-crmf.self.cfg

Missing nickname for the client certificate



2. When nickname in cmcrequest file doesn't match with httpclient nickname.

[31/Jan/2018:23:44:59][http-bio-20443-exec-3]: CMCUserSignedAuth: verifySignerInfo: SSL client authentication certificate and CMC signer do not match
[31/Jan/2018:23:44:59][http-bio-20443-exec-3]: CMCUserSignedAuth: authenticate: Invalid Credential.:SSL client authentication certificate and CMC signer do not match


With above mentioned test cases , This bugzilla is tested and marking as verified.
Comment 16 errata-xmlrpc 2018-04-10 12:58:29 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925

Note You need to log in before you can comment on or make changes to this bug.