Bug 1466486 - CMC plugin default change
CMC plugin default change
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Christina Fu
Asha Akkiangady
Marc Muehlfeld
: ZStream
Depends On:
Blocks: 1469432
  Show dependency treegraph
Reported: 2017-06-29 14:46 EDT by Christina Fu
Modified: 2018-02-26 20:08 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1469432 (view as bug list)
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 11 Geetika Kapoor 2018-01-31 06:24:38 EST
Earlier we test it using:

I think this is no more valid because we don't have fixed passphrase .
Please suggest if I need to look into something else in this bugzilla.
Comment 12 Geetika Kapoor 2018-01-31 14:01:37 EST
A quick test is :

1. Enable identityproofv2.
2. set witness.sharedsecret=testing
This is the old one which doesn't resembles to the original passphrase value set during CMCSharedToken cli.
3. Run CMCRequest and the httpclient.
4. Check the debug logs:

[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SharedSecret.getSharedToken(String identification):  got entryShrTok
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SharedSecret.decryptShrTokData: wrapped session key retrieved
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SharedSecret.decryptShrTokData: wrapped passphrase retrieved
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SharedSecret.getSharedToken(String identification): returning
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: returnConn: mNumConns now 5
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile:verifyDigest: in verifyDigest: hashAlg=SHA-512 Message Digest from Mozilla-JSS, <initialized>
; macAlg=SHA-512 Message Digest from Mozilla-JSS, <initialized>

[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile:verifyDigest:  The content of two HMAC digest are not the same.
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile:verifyIdentityProofV2: IdentityProofV2 failed to verify
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile:verifyIdentityProofV2:  Failed with Exception: IdentityProofV2 failed to verify
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: SignedAuditLogger: event CMC_PROOF_OF_IDENTIFICATION
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: EnrollProfile: parseCMC:  after verifyIdentityProofV2
[31/Jan/2018:13:49:26][http-bio-20443-exec-16]: ProfileSubmitCMCServlet: after createRequests - Proof-of-Identification Verification Failed after verifyIdentityProofV2

5. Result :

During Identity proof verification it failed.

6. For a correct value of witness, output looks like:

[31/Jan/2018:13:50:45][http-bio-20443-exec-22]: EnrollProfile:verifyIdentityProofV2: identity verified. Updating auditSubjectID
[31/Jan/2018:13:50:45][http-bio-20443-exec-22]: EnrollProfile:verifyIdentityProofV2: updated auditSubjectID is:user2@#$%
[31/Jan/2018:13:50:45][http-bio-20443-exec-22]: SignedAuditLogger: event CMC_PROOF_OF_IDENTIFICATION
[31/Jan/2018:13:50:45][http-bio-20443-exec-22]: EnrollProfile: parseCMC: passed verifyIdentityProofV2; Proof of Identity successful;
[31/Jan/2018:13:50:45][http-bio-20443-exec-22]: EnrollProfile: parseCMC: found numOfOtherMsgs: 0

Note You need to log in before you can comment on or make changes to this bug.