1541526 – CMC: Revocation works with an unknown revRequest.issuer

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1541526 - CMC: Revocation works with an unknown revRequest.issuer

Summary: CMC: Revocation works with an unknown revRequest.issuer

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Christina Fu
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-02 19:27 UTC by Geetika Kapoor
Modified:	2020-10-04 21:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:	pki-core-10.5.1-7.el7
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2018-04-10 17:04:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 3039	0	None	None	None	2020-10-04 21:40:33 UTC
Red Hat Product Errata	RHBA-2018:0925	0	None	None	None	2018-04-10 17:04:27 UTC

Description Geetika Kapoor 2018-02-02 19:27:57 UTC

Description of problem:

Originally certificate is signed by user which has issuer "revRequest.issuer=UID=usercert,CN=usercert". Now i wanted to revoke cert.

I did change in revoke config and add "revRequest.issuer=UID=usercert,CN=usercert1" which is incorrect and doesn't match with expected.

With this , revocation works. Should it match the issuer with the one who originally issues cert (as mentioned in ldap)??

Version-Release number of selected component (if applicable):

10.5

How reproducible:

always

Steps to Reproduce:

1. I have a cert "usercert1" which looks like as mentioned below.I used this cert for cmc request nick and http client.

[root@csqa4-guest04 75_cfg_working]# certutil -L -d /root/nssdb_75/ -n "usercert1"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 134560631 (0x8053b77)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,OU=gkapoor_RHCS_75,O=Example-rhcs9
            2-CA"
        Validity:
            Not Before: Thu Jan 25 12:19:37 2018
            Not After : Tue Jul 24 11:19:37 2018
        Subject: "UID=usercert,CN=usercert"

2. I sign a certificate using flow as mentioned in https://bugzilla.redhat.com/attachment.cgi?id=1388326 (Test Case 2.2: Set cmc.popLinkWitnessRequired=false in CS.cfg and) restart.


3. I try to do certificate revocation using procedure as mentioned https://bugzilla.redhat.com/attachment.cgi?id=1388326 (Test Case 3.4: Add ldap changes as mentioned in http://pki.fedoraproject.org/wiki/PKI_10.5_CMC_Shared_Token#Example_Enrollment_Procedure)

4. change the issuer value in revoke.cfg file.Below is revocation file.

original: revRequest.issuer=UID=usercert,CN=usercert
new changed : revRequest.issuer=UID=usercert,CN=usercert1


[root@csqa4-guest04 user-signed]# cat revoke.cfg 
#numRequests: Total number of PKCS10 requests or CRMF requests.
numRequests=1

#output: full path for the CMC request in binary format
output=user-signed/cmc.self.req

#tokenname: name of token where user signing cert can be found (default is internal)
tokenname=internal

#nickname: nickname for user signing certificate which will be used
#to sign the CMC full request.
#nickname=PKI CA Administrator
#nickname=usercert1
#dbdir: directory for cert8.db, key3.db and secmod.db
dbdir=/root/nssdb_75/
#password: password for cert8.db which stores the user signing
#certificate and keys
password=SECret.123

#format: request format, either pkcs10 or crmf
format=pkcs10

## revocation parameters
revRequest.enable=true
revRequest.serial=249744791
revRequest.reason=certificateHold
revRequest.sharedSecret=wonderfulday
revRequest.comment=geetika test revocation
revRequest.issuer=UID=usercert,CN=usercert1

5. Audit logs:

0.http-bio-20443-exec-1 - [30/Jan/2018:06:39:03 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.67.116.21][ServerIP=10.12.28.208][SubjectID=CN=PKI Administrator,E=example,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
0.http-bio-20443-exec-10 - [30/Jan/2018:06:39:03 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.67.116.21][ServerIP=10.12.28.208][SubjectID=CN=PKI Administrator,E=example,OU=gkapoor_RHCS_75,O=Example-rhcs92-CA][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
0.http-bio-20443-exec-16 - [30/Jan/2018:06:39:04 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success] access session establish success
0.http-bio-20443-exec-16 - [30/Jan/2018:06:39:04 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-16 - [30/Jan/2018:06:39:05 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=UID=usercert,CN=usercert][Outcome=Success][ReqID=50][CertSerialNum=249744791][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=complete] certificate status change request processed
0.http-bio-20443-exec-16 - [30/Jan/2018:06:39:05 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

CA Agent PAge:

Request 50
 
		
Request
Status: 	complete
Type: 	revocation
Unauthenticated Request Attributes
Authenticate Request Attributes (from authentication, policy and other server modules)revRequest.issuer=UID=usercert,CN=usercert1
cert_info: 	MCMCBA7izZcXDTE4MDEzMDExMzkwNFowDDAKBgNVHRUEAwoBBg==
requesttype: 	revocation
requestversion: 	1.0.0
requestortype: 	Agent
updatedby: 	$Unidentified$
revocationreason: 	6
dbstatus: 	UPDATED
requeststatus: 	complete
csrrequestorcomments: 	geetika test revocation
requestid: 	50
result: 	1
Certificate
Serial number: 	0x0ee2cd97
Reason: 	Certificate_Hold



Actual results:


Expected results:


Additional info:

Comment 3 Christina Fu 2018-02-04 04:30:22 UTC

https://pagure.io/dogtagpki/issue/2921#comment-491931

Comment 5 Geetika Kapoor 2018-02-12 19:12:42 UTC

Test bits:
=========

rpm -qa pki-*
pki-tools-10.5.1-7.el7.x86_64
pki-ca-10.5.1-7.el7.noarch
pki-core-debuginfo-10.5.1-6.1.el7pki.x86_64
pki-javadoc-10.5.1-6.1.el7.noarch
pki-base-10.5.1-7.el7.noarch
pki-symkey-10.5.1-7.el7.x86_64
pki-server-10.5.1-7.el7.noarch
pki-kra-10.5.1-7.el7.noarch
pki-tks-10.5.1-6.1.el7pki.noarch
pki-console-10.5.1-4.el7pki.noarch
pki-base-java-10.5.1-7.el7.noarch
pki-tps-10.5.1-6.1.el7pki.x86_64
pki-ocsp-10.5.1-6.1.el7pki.noarch


Test Case:
=========

If Issuerdn doesn't match
=========================


[12/Feb/2018:13:32:21][http-bio-25443-exec-1]: CMCOutputTemplate: processRevokeRequestControl:  Client and server shared secret are the same, can go ahead and revoke certificate.
[12/Feb/2018:13:32:21][http-bio-25443-exec-1]: In LdapBoundConnFactory::getConn()
[12/Feb/2018:13:32:21][http-bio-25443-exec-1]: masterConn is connected: true
[12/Feb/2018:13:32:21][http-bio-25443-exec-1]: getConn: conn is connected true
[12/Feb/2018:13:32:21][http-bio-25443-exec-1]: getConn: mNumConns now 2
[12/Feb/2018:13:32:21][http-bio-25443-exec-1]: returnConn: mNumConns now 3
[12/Feb/2018:13:32:21][http-bio-25443-exec-1]: CMCOutputTemplate: processRevokeRequestControl: shared secret revocation: checking issuer DN
[12/Feb/2018:13:32:21][http-bio-25443-exec-1]: CMCOutputTemplate: processRevokeRequestControl:  certificate issuer DN and revocation request issuer DN do not match



Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   Status String:  certificate issuer DN and revocation request issuer DN do not match
   OtherInfo type: FAIL
     failInfo=bad identity
ERROR: CMC status for [1]: failed


Audit logs:
==========

0.http-bio-25443-exec-8 - [12/Feb/2018:13:53:12 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=sslauth,OU=People][Outcome=Success] access session establish success
0.http-bio-25443-exec-8 - [12/Feb/2018:13:53:12 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-25443-exec-8 - [12/Feb/2018:13:53:12 EST] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIG7BgkqhkiG9w0BBwGgga0EgaowgacwgZ4wgZsCAQEGCCsGAQUFBwcRMYGLMIGIMFYxFTATBgNVBAoMDFNFQ3VyZS1Ec09PTzEcMBoGA1UECwwTZ2thcG9vcl9SSENTXzc1X3NzbDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZQIEAcC9ugoBBgQMd29uZGVyZnVsZGF5DBdnZWV0aWthIHRlc3QgcmV2b2NhdGlvbjAAMAAwAA==] CMC request received
0.http-bio-25443-exec-8 - [12/Feb/2018:13:53:12 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIGhQYJKoZIhvcNAQcCoIIGdjCCBnICAQMxDzANBglghkgBZQMEAgMFADB6BggrBgEFBQcMA6BuBGwwajBkMGICAQEGCCsGAQUFBwcZMVMwUQIBAjADAgEBDEQgY2VydGlmaWNhdGUgaXNzdWVyIEROIGFuZCByZXZvY2F0aW9uIHJlcXVlc3QgaXNzdWVyIEROIGRvIG5vdCBtYXRjaAIBBzAAMACgggPoMIID5DCCAsygAwIBAgIEDN0MIDANBgkqhkiG9w0BAQ0FADBTMRIwEAYDVQQKDAlTRUN1cmUtRHMxHDAaBgNVBAsME2drYXBvb3JfUkhDU183NV9zc2wxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTgwMjExMTkxODI5WhcNMzgwMjExMTkxODI5WjBTMRIwEAYDVQQKDAlTRUN1cmUtRHMxHDAaBgNVBAsME2drYXBvb3JfUkhDU183NV9zc2wxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUbstjKcEqIB7YPOGgU6Bc1s2ZpKgnSJTt+tyqoRm/UgyO52HSVn0rjFt7DKXcXj/xPQ6mhIIk8NW9zgU8UqIyx23I8wIk+IkTb9pMGcDIreyZn3plVjBwsKBpvNKq1MFKCHGrvyPOh16xjegY084x0CRzG3nx/iNs6odG14XCwr3x/1YOF9/XkNRaf8bV9hPEr44AWoLxVTHFMPVwj5OBp+4uk02OH4Kqu6qmaq7FTc4gNjS9Owar1/Y6AiN0cycJ8c1T9a/HwQPbDyx65GFMbnvzm0KNrkS/dTmHSN0eByyYpW64GFq4sc4g1z6+lK2xLIhBPq0oOH3/tMgaBk+/AgMBAAGjgb8wgbwwHwYDVR0jBBgwFoAUXsQ1CWyxJDzlBkboOGYcTJWMo0YwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFF7ENQlssSQ85QZG6DhmHEyVjKNGMFkGCCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL2NzcWE0LWd1ZXN0MDQuaWRtLmxhYi5lbmcucmR1LnJlZGhhdC5jb206MjUwODAvY2Evb2NzcDANBgkqhkiG9w0BAQ0FAAOCAQEAVfiTS/RqZvPMk4lj3SYB6Yl1ULrCiSHIa0QUxQNWWwUxSU3LI7+V63bxBkuF+T3Dusc1sRSyooku0+iwNIOoIVbm8KnB6N7Zo/sR8TYVaKcGvU8b1xDzcH5wRZblMETKA8tVC2+P6IaZZnhlZBHjS308qNMbaQUjI/dosumcGMOXZhNGRcX8eoc1J5Ouap/B9piHZ1h4kY5MEBgna6tqIs3FTNDml+a89JrIKklhTvOV41/yMT1SSTTYsUoEhSIq1S06DKHQql9qblp+MHq5p/CDSN5PDDDzsaRCui+iBRHxlKlxK/2J0YABqz5Y8N/adsFP0gp6fD/AlcyLLIv8dDGCAfIwggHuAgEBMFswUzESMBAGA1UECgwJU0VDdXJlLURzMRwwGgYDVQQLDBNna2Fwb29yX1JIQ1NfNzVfc3NsMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgQM3QwgMA0GCWCGSAFlAwQCAwUAoGowFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwDME8GCSqGSIb3DQEJBDFCBEDe5AD14wrjjWfZryulqxF9NV6tzJYqBnmv68EAOx4ueEHBzHLUoMVyT4Ks3MqDAP8Vm7db1ZYqmU1s/vmoVdPvMA0GCSqGSIb3DQEBDQUABIIBAC8tr3wK1SEvx31QF8w6b03Mr6lJ/j/IjOS1Mvv1tvc+7aSYTqTMTB8W9rUtr5HHoBAeTwlPmLgEs7RoBDiLutUJWpEhYVGK3/uZzCMA20l1l+ATc2UhvZ2JgUHRek4yq0Ik1ZT3fT7FSeSN2i2BeiUdV7Z9V3jT3Dqx2jZS81OAJD7RRPprDXmTS0lcj+zIXXkBpgDT7EG0Ygap/cSE4mh2qNBkKl14ccRALmYlZxHd4mMOlkfZcnjoQ5XlDHiO+a/YhsTFipsVLgU/QRhOeadp+HuaGQdF2rlDhJhfCLZpjhmMBCw8FHmKwsY933oabgXH9PIrPGdjgCrfsCGOTLE=] CMC response sent
0.http-bio-25443-exec-8 - [12/Feb/2018:13:53:12 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=sslauth,OU=People][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated


This works as expected.

Comment 7 errata-xmlrpc 2018-04-10 17:04:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925

Note You need to log in before you can comment on or make changes to this bug.