1532748 – Unauthorized and Invalid number format Exception during revoked certs usage

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1532748 - Unauthorized and Invalid number format Exception during revoked certs usage

Summary: Unauthorized and Invalid number format Exception during revoked certs usage

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-09 17:37 UTC by Geetika Kapoor
Modified:	2020-10-04 21:39 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-13 20:50:42 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Pagure	dogtagpki issue 2894	0	None	None	None	2020-03-13 20:50:42 UTC
Github	dogtagpki pki issues 3012	0	None	None	None	2020-10-04 21:39:30 UTC

Description Geetika Kapoor 2018-01-09 17:37:12 UTC

Description of problem:

When tried to use a revoked certificates observed below behavior.


Issue 1: system, debug and Audit logs are not in sync.
Issue 2 : face Invalid number format .
Issue 3: Since certificate is revoked, Why it is hitting unauthorized.Unauthorized should not come once we revoke certs.It should come once we change the permissions like removing from group.

Version-Release number of selected component (if applicable):

10.5

How reproducible:

always
Steps to Reproduce:

Step1 :

# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" client-cert-request "cn=testing,uid=testusercert" --profile caUserCert
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 80000012
  Type: enrollment
  Request Status: pending
  Operation Result: success

# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" cert-request-review 80000012  --action approve
-------------------------------------
Approved certificate request 80000012
-------------------------------------
  Request ID: 80000012
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x8226cb48
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-add test1 --fullName test1
------------------
Added user "test1"
------------------
  User ID: test1
  Full name: test1
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-cert-add test1 --serial 0x8226cb48
--------------------------------------------------------------------------------------------------------------------------------
Added certificate "2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing"
--------------------------------------------------------------------------------------------------------------------------------
  Cert ID: 2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing
  Version: 2
  Serial Number: 0x8226cb48
  Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
  Subject: UID=testusercert,CN=testing
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Certificate Manager Agents" test1
--------------------------
Added group member "test1"
--------------------------
  User: test1
[root@csqa4-guest04 75]# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Administrators" test1
--------------------------
Added group member "test1"
--------------------------
  User: test1

Testing
=====
# pki -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika --fullName geetika
--------------------
Added user "geetika"
--------------------
  User ID: geetika
  Full name: geetika


Step 2: Revoke this certificate.
Step3: Make sure it is part of your CA's CRL.

CRL:

Certificate revocation list contents

    Certificate Revocation List: 
        Data: 
            Signature Algorithm: SHA512withRSA
            Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
            This Update: Wednesday, January 10, 2018 7:04:47 AM EST America/New_York
            Next Update: Wednesday, January 10, 2018 9:00:00 AM EST America/New_York
            Revoked Certificates: 1-2 of 2
                Serial Number: 0x8226CB48
                Revocation Date: Monday, January 8, 2018 6:01:08 AM EST America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: Certificate_Hold
                    Identifier: Invalidity Date - 2.5.29.24
                        Critical: no 
                        Invalidity Date: Sat Jan 06 13:30:00 EST 2018
                Serial Number: 0x1D5144C
                Revocation Date: Monday, January 8, 2018 5:17:32 AM EST America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: CA_Compromise




Step4: Now again try to use same testing procedure.

# pki -v -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika11 --fullName geetika

com.netscape.certsrv.base.PKIException: Unauthorized
    at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
    at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
    at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
    at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46)
    at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47)
    at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46)
    at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64)
    at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
    at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
    at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)


Debug logs:
=======
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: PKIRealm: Authenticating certificate chain:
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: PKIRealm.getAuditUserfromCert: certUID=UID=testusercert, CN=testing
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: PKIRealm:   UID=testusercert, CN=testing
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: CertUserDBAuth: started
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: CertUserDBAuth: Retrieving client certificate
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: CertUserDBAuth: Got client certificate
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: SignedAuditLogger: event AUTH
[08/Jan/2018:06:03:02][http-bio-28443-exec-20]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED

Audit logs:
======

0.http-bio-28443-exec-4 - [08/Jan/2018:06:04:09 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=testusercert,CN=testing][Outcome=Success] access session establish success
0.http-bio-28443-exec-4 - [08/Jan/2018:06:04:09 EST] [14] [6] [AuditEvent=AUTH][SubjectID=UID=testusercert, CN=testing][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=UID=testusercert, CN=testing] authentication failure
0.http-bio-28443-exec-4 - [08/Jan/2018:06:04:09 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=testusercert,CN=testing][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

System logs:
========

0.http-bio-28443-exec-6 - [08/Jan/2018:06:01:34 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-24 - [08/Jan/2018:06:01:44 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-13 - [08/Jan/2018:06:02:06 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-20 - [08/Jan/2018:06:03:02 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-4 - [08/Jan/2018:06:04:09 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-21 - [08/Jan/2018:06:05:43 EST] [3] [3] Servlet caCheckRequest: Invalid number format: 0x8226CB48
0.http-bio-28443-exec-2 - [10/Jan/2018:00:02:10 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.
0.http-bio-28443-exec-17 - [10/Jan/2018:07:03:48 EST] [11] [3] UGSubsystem: Add User To Group netscape.ldap.LDAPException: error result (20)
0.http-bio-28443-exec-14 - [10/Jan/2018:07:04:05 EST] [6] [3] Cannot authenticate agent.  Agent certificate has been revoked.


Certificate status from cli:
=================

pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-cert-show 0x08226cb48
------------------------
Certificate "0x8226cb48"
------------------------
  Serial Number: 0x8226cb48
  Subject DN: UID=testusercert,CN=testing
  Issuer DN: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
  Status: REVOKED
  Not Valid Before: Mon Jan 08 05:49:21 EST 2018
  Not Valid After: Sat Jul 07 05:49:21 EDT 2018
  Revoked On: Mon Jan 08 06:01:08 EST 2018
  Revoked By: caadmin


Actual results:

Why the system, debug and Audit logs are not in sync.
 we face Invalid number format .

Expected results:

It should work
Additional info:


devel comments:

<edewata> gkapoor, probably it fails at this code: new BigInteger(requestId);
<edewata> gkapoor, it fails since the requestId is a hex string instead of decimal
<edewata> gkapoor, here's the code: https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java#L281
<edewata> gkapoor, the problem happens because the code is trying to parse a request ID with value 0x8226CB4 as a bigint which expects a decimal value. I'm not sure why it's doing that, that will need further investigation

Comment 2 Matthew Harmsen 2018-01-18 19:50:25 UTC

Per PKI Team Meeting of 20180118 moving to RHEL 7.6.

Comment 3 Matthew Harmsen 2018-07-04 00:33:06 UTC

Moved to RHEL 7.7.

Note You need to log in before you can comment on or make changes to this bug.