Bug 1469432 - CMC plugin default change
Summary: CMC plugin default change
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
: 1470948 (view as bug list)
Depends On: 1466486
Blocks: CVE-2017-7537
TreeView+ depends on / blocked
 
Reported: 2017-07-11 09:25 UTC by Jaroslav Reznik
Modified: 2017-08-01 11:31 UTC (History)
7 users (show)

Fixed In Version: pki-core-10.4.1-11.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1466486
Environment:
Last Closed: 2017-08-01 11:31:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2335 0 normal SHIPPED_LIVE Moderate: pki-core security update 2017-08-01 15:27:31 UTC

Description Jaroslav Reznik 2017-07-11 09:25:24 UTC
This bug has been copied from bug #1466486 and has been proposed to be backported to 7.4 z-stream (EUS).

Comment 7 Dhiru Kholia 2017-07-21 10:40:57 UTC
*** Bug 1470948 has been marked as a duplicate of this bug. ***

Comment 8 Geetika Kapoor 2017-07-25 11:56:56 UTC
Test Build:
==========
rpm -qa pki-*
pki-console-10.4.1-5.el7pki.noarch
pki-javadoc-10.4.1-11.el7.noarch
pki-symkey-10.4.1-11.el7.x86_64
pki-tools-10.4.1-11.el7.x86_64
pki-base-10.4.1-11.el7.noarch
pki-kra-10.4.1-11.el7.noarch
pki-server-10.4.1-11.el7.noarch
pki-ocsp-10.4.1-10.el7pki.noarch
pki-base-java-10.4.1-11.el7.noarch
pki-ca-10.4.1-11.el7.noarch
pki-tps-10.4.1-10.el7pki.x86_64
pki-tks-10.4.1-10.el7pki.noarch
pki-core-debuginfo-10.4.1-11.el7.x86_64


Test Cases:
-----------

Test Case 1:
===========
 When cmc.revokeCert.sharedSecret.class and cmc.sharedSecret.class are not present in CS.cfg

1. Install CA with new bits i.e pki-ca-10.4.1-11.el7.noarch.
2. Verified by default CS.cfg doesn't have:
cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
3. perform one CMC test and see how it works if above two properties are missing from CA's CS.cfg.

<snip output>
Number of controls is 1
Control #0: CMCStatusInfo
   OID: {1 3 6 1 5 5 7 7 1}
   BodyList: 0 
   Status String: Proof-of-Identification Verification Failed after verifyIdentityProofV2
   OtherInfo type: FAIL
</snip output>

Test Case 2: Add the two properties manually in CS.cfg and restart CA.
===========

1. Add the two properties manually in CS.cfg and make sure CMC tests worked.
2. Features tested and verified as part of this testing:

-- User-signed CMC requests Example (with PopLinkWitnessV2)
-- Self-Signed CMC Request Example (with IdentityProofV2)
-- User-signed CMC request Without POP (Encrypted POP / Decrypted POP)
-- User-Signed CMC Renewal Request

I have tried to cover basic sanity testing for CMC.Please revert if you think any other test case I need to cover as part of this testing.

Comment 11 Geetika Kapoor 2017-07-26 04:10:27 UTC
Marking bug as verified.

Comment 13 errata-xmlrpc 2017-08-01 11:31:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2335


Note You need to log in before you can comment on or make changes to this bug.