Bug 1469447 - CC: CMC: check HTTPS client authentication cert against CMC signer
CC: CMC: check HTTPS client authentication cert against CMC signer
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Christina Fu
Asha Akkiangady
Petr Bokoc
: ZStream
Depends On: 1460764
Blocks: 1518175
  Show dependency treegraph
Reported: 2017-07-11 05:44 EDT by Jaroslav Reznik
Modified: 2017-11-28 06:25 EST (History)
7 users (show)

See Also:
Fixed In Version: pki-core-10.4.1-12.el7_4
Doc Type: Enhancement
Doc Text:
This enhancement adds an SSL client authentication certificate check against the CMC signer for CMC requests.
Story Points: ---
Clone Of: 1460764
: 1518175 (view as bug list)
Last Closed: 2017-09-05 07:25:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Test_combinations (9.77 KB, application/vnd.oasis.opendocument.spreadsheet)
2017-08-23 07:04 EDT, Geetika Kapoor
no flags Details

  None (edit)
Description Jaroslav Reznik 2017-07-11 05:44:11 EDT
This bug has been copied from bug #1460764 and has been proposed to be backported to 7.4 z-stream (EUS).
Comment 3 Geetika Kapoor 2017-08-23 07:03:12 EDT
Test build:
rpm -qa pki-ca

Test Case 1: Testing done for HttpClient enabled with client mode and secure port.
Test case 2: Testing for above test case 1 with self signed is done.
Test case 3: Testing for above test case 1 with user signed is done.
Test case 4: Testing is done for different combinations and attached in Excel(Test_combinations)

Test Steps:

1. Follow steps mentioned in https://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#User-Signed_CMC_Renewal_Request. 
2. Run PKCS10Client -d . -p SECret.123 -n "cn=Test74z4,uid=letstest"  -o user-signed/pkcs10.req

Make sure it is successful and output should look like:

Keypair private key id: 4ee9aee7bfffc155c798475e57d6c86653e21ef4


3. Replace private key generated above into the cmc file.
4. Run the cmc file using CMCRequest.
5. Run HttpClient.
6. Check using CMCresponse a correct response is getting generated.
7. Goto CA Agent page and see that a certificate is getting generated.
8. Make sure that the newly signed certificate which gets created have:

AKI of newly signed certificate (c1) == user signing certificate AKI (c2) == SKI of  CA cert used to sign c2
Comment 4 Geetika Kapoor 2017-08-23 07:04 EDT
Created attachment 1317058 [details]
Comment 6 errata-xmlrpc 2017-09-05 07:25:02 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.