Bug 1548124 - CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database
Summary: CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1550581
TreeView+ depends on / blocked
 
Reported: 2018-02-22 19:15 UTC by Geetika Kapoor
Modified: 2018-10-30 11:06 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
: 1550581 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:05:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3195 None None None 2018-10-30 11:06:49 UTC

Description Geetika Kapoor 2018-02-22 19:15:31 UTC
Description of problem:

Test Case  1:
============

1. I have RSA CA configured.
2. I have one EC CA configured.

Question: Will cert usage will be same for both RSA CA and ECC CA? I see SSLServer in ecc cert usage.
--------

# pki -d /var/lib/pki/gkapoor_RHCS_75_ecc/alias --token NHSM6000-OCS client-cert-validate "NHSM6000-OCS:caSigningCert cert-gkapoor_RHCS_75_ecc CA"  --certusage CheckAllUsages
Enter password for NHSM6000-OCS

Cert has the following usages: SSLServer,SSLClient,SSLCA,EmailSigner,EmailRecipient,UserCertImport,VerifyCA,ProtectedObjectSigner,StatusResponder,AnyCA


# pki -d /var/lib/pki/gkapoor_RHCS_75_ssl/alias --token NHSM6000-OCS client-cert-validate "NHSM6000-OCS:caSigningCert cert-gkapoor_RHCS_75_ssl CA"  --certusage CheckAllUsages
Enter password for NHSM6000-OCS

Cert has the following usages: SSLClient,SSLCA,EmailSigner,UserCertImport,VerifyCA,ProtectedObjectSigner,StatusResponder,AnyCA


Test Case 2: --> Seeing issue
============

When Signature Algorithm: SHA384withEC - 1.2.840.10045.4.3.3 i.e RootCA is "ECC".Signing CMC Certs is not working with RootCA as ECC.
ExternalCA with ecc is currently not working: https://bugzilla.redhat.com/show_bug.cgi?id=1544843

1. I have RootCA ECC setup.
2. I try to sign certificate using that instance. I create pkcs10client request like:

PKCS10Client -d  /root/ssl_cert_ecc -p SECret.123 -n "cn=Test75z1ecc, uid=Testing" -a ec -c nistp256 -o user-signed/pkcs10.req.ecc

3. we use CMCResponse.
4. Now we sent HttpClient request.

I see below message.With same request when send to RSA CA, it works fine with same CMCrequest.

ECC setup:

[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: start checking signature
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: found signing cert... verifying
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: verifySignerInfo: ssl client cert principal and cmc signer principal match
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: signing key alg=EC
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: verifying signature with public key
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: finished checking signature
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: SignedAuditLogger: event CMC_SIGNED_REQUEST_SIG_VERIFY
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: SignedAuditLogger: event CMC_SIGNED_REQUEST_SIG_VERIFY
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: ProfileSubmitCMCServlet: authenticate: Invalid Credential.
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: SignedAuditLogger: event AUTH
[21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCOutputTemplate: getContentInfo: begins
[21/Feb/2018:07:40:38][http-bio-20443-exec-3]: CMCOutputTemplate: getContentInfo:  - done
[21/Feb/2018:07:40:38][http-bio-20443-exec-3]: SignedAuditLogger: event CMC_RESPONSE_SENT
[21/Feb/2018:07:40:38][http-bio-20443-exec-3]: ProfileSubmitCMCServlet: authentication error Invalid Credential.

 Exception:
===========
CMCAuth: org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

RFC Details:
============

Below information is provided so that during testing this can be used for creating more test cases and for reference purpose.

snip of cmc response using ASN.1 JavaScript decoder:
 ====================================================
 SEQUENCE(2 elem)
 OBJECT IDENTIFIER1.2.840.10045.4.3.3 ecdsaWithSHA384(ANSI X9.62 ECDSA algorithm with SHA384)
 NULL
 OCTET STRING(1 elem)

 RFC https://tools.ietf.org/html/rfc7427 says:
 =============================================
 for this OID parameters are absent while here we are setting NULL.
 A.3.3.  ecdsa-with-sha384
    ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
    Parameters are absent.
    Name = ecdsa-with-sha384, oid = 1.2.840.10045.4.3.3
    Length = 12
    0000: 300a 0608 2a86 48ce 3d04 0303
 NULL if no parameters
    are specified.  If the algorithm specification says
    "preferredAbsent", then the entire optional parameters object is
    missing.


Test Case 3: Works
===========

Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13 i.e when RootCA is RSA.

SEQUENCE(2 elem)
OBJECT IDENTIFIER1.2.840.113549.1.1.13sha512WithRSAEncryption(PKCS #1)
NULL

Even this has NULL but validation works because RFC says:

sha512WithRSAEncryption

   sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }

   Parameters are required, and they must be NULL.

   Name = sha512WithRSAEncryption, oid = 1.2.840.113549.1.1.13
   Length = 15
   0000: 300d 0609 2a86 4886 f70d 0101 0d05 00

Signing for ECC and RSA both works.


Version-Release number of selected component (if applicable):

10.5

How reproducible:

always

Steps to Reproduce:
1.Configure RootCA with ECC
2.Follow the same procedure as mentioned in Examples (User Certificates -EC) 
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User-signed_EC_cmc_request

Actual results:

Seeing error : [21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

Expected results:

No Error should occour

Additional info:


CMCResponse with ECC setup 

MIIEgAYJKoZIhvcNAQcCoIIEcTCCBG0CAQMxDzANBglghkgBZQMEAgIFADBJBggr
BgEFBQcMA6A9BDswOTAzMDECAQEGCCsGAQUFBwcZMSIwIAIBAjADAgEADBNJbnZh
bGlkIENyZWRlbnRpYWwuAgECMAAwAKCCArUwggKxMIICNKADAgECAgNw5QAwDAYI
KoZIzj0EAwMFADBfMR4wHAYDVQQKDBVFeGFtcGxlLXJoY3M5Mi1DQS1lY2MxHDAa
BgNVBAsME2drYXBvb3JfUkhDU183NV9lY2MxHzAdBgNVBAMMFkNBIFNpZ25pbmcg
Q2VydGlmaWNhdGUwHhcNMTgwMjIxMTIxNDM5WhcNMzgwMjIxMTIxNDM5WjBfMR4w
HAYDVQQKDBVFeGFtcGxlLXJoY3M5Mi1DQS1lY2MxHDAaBgNVBAsME2drYXBvb3Jf
UkhDU183NV9lY2MxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwdjAQ
BgcqhkjOPQIBBgUrgQQAIgNiAASVpQU1zW7Ed60SsrssXM9iz2Nsgc43VRqDZY+z
SaQkhemWYeaXvH4qc1HdPqAnqrmsU8kAA+tWYLxOHLajT3dJJjFW43Xci5KyBmfZ
N2WEsT47BLfY5iBV7DnoVj0CciCjgb8wgbwwHwYDVR0jBBgwFoAUT3KQ05qy7wnn
cOptEOaFlQDu/c0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYD
VR0OBBYEFE9ykNOasu8J53DqbRDmhZUA7v3NMFkGCCsGAQUFBwEBBE0wSzBJBggr
BgEFBQcwAYY9aHR0cDovL2NzcWE0LWd1ZXN0MDQuaWRtLmxhYi5lbmcucmR1LnJl
ZGhhdC5jb206MjAwODAvY2Evb2NzcDAMBggqhkjOPQQDAwUAA2kAMGYCMQD1vCk4
dPNeY5W0tZR5jFI1miTwcrMn6PntryDiDXx1kYOEVVdR1W5c30YucbxOYT4CMQDn
nNRBq9FgLM5Y3e4dBjt2Uc02pdk8c7lYSoj5m1Fc2vRD4ZgaWemSE3An1tSFG9Ix
ggFRMIIBTQIBATBmMF8xHjAcBgNVBAoMFUV4YW1wbGUtcmhjczkyLUNBLWVjYzEc
MBoGA1UECwwTZ2thcG9vcl9SSENTXzc1X2VjYzEfMB0GA1UEAwwWQ0EgU2lnbmlu
ZyBDZXJ0aWZpY2F0ZQIDcOUAMA0GCWCGSAFlAwQCAgUAoFowFwYJKoZIhvcNAQkD
MQoGCCsGAQUFBwwDMD8GCSqGSIb3DQEJBDEyBDDz3J+ci8RVoc36YILiO3kWXQ17
vy+SliNSX9ZHJ+WYiAodo+4VG0kgXH2yCIfhO0AwDAYIKoZIzj0EAwMFAARnMGUC
MQCiFlFNKIsujL11jUUhsEP0m3FThVX87kyKe0oP/qmArDj/BAYstUB5QnX79ghK
JkUCMHWY6u484eyyrOVu5W8sm2+OUkWdt0McprNnVEc7Ia0EEqSE1K2oRCyDkF/2
F5w8Gw==

Comment 2 Christina Fu 2018-02-26 23:23:17 UTC
https://review.gerrithub.io/#/c/401515/

Comment 3 Christina Fu 2018-02-27 18:10:54 UTC
Some basic test scenarios:

Agent signed (CMCAuth):
a. Sign cmc request with agent cert that's expired
b. Sign cmc request with agent cert that's signed by an unknown (untrusted) CA
( I don't expect any of the above to pass SSL client authentication)
c. Sign cmc request with agent cert that's revoked
(depending on the configuration, revoked ssl client cert might have been caught at ssl client auth as well; but failing that, I believe agent auth checks that; please confirm and document the behavior)

User signed (CMCUserSignedAuth):
a. Sign cmc request with user cert that's expired
b. Sign cmc request with user cert that's signed by an unknown (untrusted) CA
(I don't expect any of the above to pass SSL client authentication)
c. Sign cmc request with user cert that's revoked
(depending on the configuration, revoked ssl client cert might have been caught at ssl client auth as well; but failing that, CMCUserSignedAuth checks that; please confirm and document the behavior)

Comment 4 Christina Fu 2018-02-28 17:00:40 UTC
https://pagure.io/dogtagpki/issue/2949#comment-496497

cherry-picked to DOGTAG_10_5_BRANCH

Comment 8 Geetika Kapoor 2018-08-17 19:59:07 UTC
Test Env:
 
rpm -qa pki-ca
pki-ca-10.5.9-5.el7.noarch


Test case:

CMCUserSignedAuth works as expected without issues.

Comment 10 errata-xmlrpc 2018-10-30 11:05:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195


Note You need to log in before you can comment on or make changes to this bug.