Bug 1469447 - CC: CMC: check HTTPS client authentication cert against CMC signer
CC: CMC: check HTTPS client authentication cert against CMC signer
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Christina Fu
Asha Akkiangady
Petr Bokoc
: ZStream
Depends On: 1460764
Blocks: 1518175
  Show dependency treegraph
 
Reported: 2017-07-11 05:44 EDT by Jaroslav Reznik
Modified: 2017-11-28 06:25 EST (History)
7 users (show)

See Also:
Fixed In Version: pki-core-10.4.1-12.el7_4
Doc Type: Enhancement
Doc Text:
This enhancement adds an SSL client authentication certificate check against the CMC signer for CMC requests.
Story Points: ---
Clone Of: 1460764
: 1518175 (view as bug list)
Environment:
Last Closed: 2017-09-05 07:25:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Test_combinations (9.77 KB, application/vnd.oasis.opendocument.spreadsheet)
2017-08-23 07:04 EDT, Geetika Kapoor
no flags Details

  None (edit)
Description Jaroslav Reznik 2017-07-11 05:44:11 EDT
This bug has been copied from bug #1460764 and has been proposed to be backported to 7.4 z-stream (EUS).
Comment 3 Geetika Kapoor 2017-08-23 07:03:12 EDT
Test build:
------------
rpm -qa pki-ca
pki-ca-10.4.1-12.el7_4.noarch

Test Case 1: Testing done for HttpClient enabled with client mode and secure port.
Test case 2: Testing for above test case 1 with self signed is done.
Test case 3: Testing for above test case 1 with user signed is done.
Test case 4: Testing is done for different combinations and attached in Excel(Test_combinations)

Test Steps:
==========

1. Follow steps mentioned in https://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#User-Signed_CMC_Renewal_Request. 
2. Run PKCS10Client -d . -p SECret.123 -n "cn=Test74z4,uid=letstest"  -o user-signed/pkcs10.req

Make sure it is successful and output should look like:

Keypair private key id: 4ee9aee7bfffc155c798475e57d6c86653e21ef4

-----BEGIN CERTIFICATE REQUEST-----
MIICcjCCAVoCAQAwLTEYMBYGCgmSJomT8ixkAQEMCGxldHN0ZXN0MREwDwYDVQQDDAhUZXN0NzR6NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXYpuzOXCvC5kL4VQG0TGyhlS8jo2B1pEs7tvcscdNuB3N/ESmMN2ORot/fhki/UXH+R4iFa95OToqGbAG2aoLSRcTNWcmp20fxCoQctEQzQrgCyQi5P/MGFkqGL2Q++N2j46xw41S1SdWLaH4SRgtVAP4jFW2l76pru5hMXIe4I3tVqNj4qn08inbnugbDVPdIA2wD0f9Ru8qJ6v6WyRJCD5wANtFD4aQNEkkUkjsfkpS0Auy2Mke3leOtX+Nm8jhAR1rXcre7lR4wg2uYScX/ITzbKIqLVk1/k6pIEtVhMElSOEoHYNpor9w2eJ3XKxABTIPTBD6LJ1vNLh5ZcAcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAoDUTv/pXKaaR8JR5JTkmPPSGaB0bQA827gbRUEbAi2Y7Z4/ci1k3TroDM1AOET0yM2dXCahNzRJMIUBO3vKiTQbgnCFd1T2xhWAbPtqz9z9Q4mApyq8QwH01KmPjWPJCIKanSgofdsbSsLrcY/UBNuRK3hCzB9c2KR4VF85SZ+Xq27FTlafT85b/rfPhRKfeFqgRt5s9i3uWH3EreNAv2pItoPk4U6/OX0uhm84oh8cUhSqsT5yMWtwUYvNEbQSvqLBL/zWN9mMozRBgfTaIh8hT7y7NGkecFquxVR/knMXLLWA0Et4gdq7o6t5CA8LrOusklCwks71QrOrVvl5gz
-----END CERTIFICATE REQUEST-----

3. Replace private key generated above into the cmc file.
4. Run the cmc file using CMCRequest.
5. Run HttpClient.
6. Check using CMCresponse a correct response is getting generated.
7. Goto CA Agent page and see that a certificate is getting generated.
8. Make sure that the newly signed certificate which gets created have:

AKI of newly signed certificate (c1) == user signing certificate AKI (c2) == SKI of  CA cert used to sign c2
Comment 4 Geetika Kapoor 2017-08-23 07:04 EDT
Created attachment 1317058 [details]
Test_combinations
Comment 6 errata-xmlrpc 2017-09-05 07:25:02 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2575

Note You need to log in before you can comment on or make changes to this bug.