RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1572432 - AuditVerify failure due to line breaks
Summary: AuditVerify failure due to line breaks
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1595606
TreeView+ depends on / blocked
 
Reported: 2018-04-27 01:45 UTC by Asha Akkiangady
Modified: 2020-10-04 21:43 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.5.9-2.el7
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
: 1595606 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:07:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 3121 0 None None None 2020-10-04 21:43:34 UTC
Red Hat Product Errata RHBA-2018:3195 0 None None None 2018-10-30 11:08:05 UTC

Description Asha Akkiangady 2018-04-27 01:45:28 UTC 
Description of problem:
AuditVerify failed due to an audit log entry right before the failed one containing a line breaks and confused the AuditVerify tool.

Version-Release number of selected component (if applicable):
pki-ca-10.5.1-11.el7.noarch
pki-tools-10.5.1-11.el7.x86_64

How reproducible:


Steps to Reproduce:
Retrieve the audit log file as an auditor user and verify signed audit logs as described in http://www.dogtagpki.org/wiki/Verifying_Signed_Audit_Logs
1. audit file has these entries where failure occured:
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature of audit buffer just flushed: sig: wZgV7M+H3xHhOAJvhTpUMKzxVMlfwwHqQyf/SCTyvcUUOyLZWlhzI9idtYqK4g5LC5qDFtjbB4MM2QWpW2rt3pA/TW+qhSay1oe1VisLpVVZOLKNFQBudH5MExu+iG/zdxOyaWvcISr79x82Zeo/MhjjX4gffVcSlCmoKu6qThT3svcMEMV+O4ls5cYgWsPQEivGW/KsB9bGepdwEJgEKLLiyBYk2kpatrMCike4p8cSG6sYYMHIQwF1q/PV0bJ0SmkqXDHKk7NdOBNG2tSiPPqBrdx7rCcZIHbIc830yA/yR1qqUIsKEW22Ey3T7SuMhOBYPAwH+f8FahLrMAQ7wg==
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.addUserCert] authorization success
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Failure][ParamNameValPairs=Scope;;certs+Operation;;OP_ADD+Resource;;CAadminV+cert;;-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIEDYETuDANBgkqhkiG9w0BAQ0FADBdMRYwFAYDVQQKEw1F^M
eGFtcGxlLVN1YkNBMSIwIAYDVQQLExlyaGNzOTMtVE1TLVN1YkNBLWFha2tpYW5n^M
MR8wHQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4MDQxMTE4NDY0^M
MVoXDTE4MTAwODE4NDY0MVowLjEYMBYGCgmSJomT8ixkAQEMCENBYWRtaW5WMRIw^M
EAYDVQQDDAlDQSBhZG1pblYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB^M
AQDBBeFrOvzADtc3uQc9m8/QchamqaaUYZdsTIBt9ODz2JpccV1CaWpWZ5tpPPnu^M
o0bp17g4yTGAPNXTa75IiIU2EEWk98ZLLMJmPLdLuxJZbBIZaLADXLiW17FOC1ab^M
+XPynJujU85d/3O6PgWpLaD335zmBpEBWS8Ldcwl/gu9ls9i8q5URMWYvNT8SzI3^M
Axu4YUdDP8433sGNO9vFlMx+tUW1g1ID3hRZsJjPkCCImVBZMorqRtXM1eYl1caX^M
p60mmKj7DXGh6KE4Fnd4rYPGZs/fBEWtoWqI34M2KLfLx2Srw8QMn1gjT3lhygTH^M
TG1VkffMY5mbxZuUv1RHc9lhAgMBAAGjgaYwgaMwHwYDVR0jBBgwFoAUK4Bfo2u6^M
SW0p6q58dlNCXxOVw30wUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUFBzABhjVodHRw^M
Oi8vY3NxYTEuaWRtLmxhYi5lbmcucmR1LnJlZGhhdC5jb206MzEwODAvY2Evb2Nz^M
cDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME^M
MA0GCSqGSIb3DQEBDQUAA4IBAQANqT1giWsXRgZTikEAhoNuDtI/3JJol8EIT515^M
BX7T0F9h7MhV3un4InXjLH3dz/DYporkSNnFc/vj/jIn1s6+5M5qS5kb9Dtm1hcz^M
Y2TdMdeXk5zR/Vjlz7FCpMs75Zepozmlyo6vjs4zZb0bu1ESB5++iRBpa8Vin3yv^M
hTHokz2fWzeFcTyzO/CrBzUE/FEZ+1qMXHQzhEp8LAKluOEDVJIhI4q0s8k/HgB6^M
cFElkiG2SBzHf0Tdt3vjMd1NzV/OMPYhS0867AKJa7jfwS8nStD5toNxiAdLyL+V^M
o1JlodHf7L69WzFnPtYzcS1Ej5cv77xNJ43z94lCqcNvximv^M
-----END CERTIFICATE-----] role configuration parameter(s) change
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature of audit buffer just flushed: sig: EnvUJBvTSjCLnnXPHy8ImYHU8dRWiXH8pi+GUIu5Xp2XQ5BTuV2rIysNGUSfZwBKCJKa/hvhGvYh+toyk1ZU1pJHzOFsJZ0Vjxsm9fGH+5sUWMLLbCT/kJTmko2MxDQxY0o/dBt7PSACoArNFZvEZa8711up6Ds55V7dMxDgI27vR02hldW6FjQAMK9roi0xrJDh3DgfpaO33L7My+BxrIcH2TSLKHdCfoIveDLMJx2VY7grhkP/qD40etMk50oVKM0dgYFWcBd9EytDWigGaa/HgED2pxpUaZUtZaHmDzc7ouZwBJa9PeZ5XbZxSnRr1gvU6HQichgMEy5hpctiNA==
0.http-bio-31443-exec-25 - [11/Apr/2018:14:50:56 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.1][ServerIP=10.12.28.1][SubjectID=CN=PKI Administrator,E=example,OU=rhcs93-TMS-SubCA-aakkiang,O=Example-SubCA][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
0./var/lib/pki/rhcs93-TMS-SubCA-aakkiang/logs/ca/signedAudit/ca_audit.flush-4 - [11/Apr/2018:14:51:00 EDT] [14] [6] [AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature of audit buffer just flushed: sig: dG5jAYj9TVNWhzFn2squJ0MC5o/9az62IG2ZycYAZXogB3jNm3oY94VxyV1PkbMwp9IcQ7qD/nQ/92aoGqLllOqWK+uQutKF+qgO1V9no/P2dQMMa4229GgYZ+b40WCSrtKfzaOWRW5vp3G4BXaEUecW79LD7jiwqmpRbm3i1ih7cumTY/8DuE5aWQKuHM6SKCyhL9/m2iUnEB4JG64uMwR8rlI4IWPlpwzgyYl+naSmJWCSBn5FUIH3Rm3A28tMaiUi/X5U+Yqz6zNAgdmVos5XNtXqAJazgtTtFSzqkpqauISMDKxV3ym+YRSCEPQl613rsKPGh+ryMoP1nzMT1w==


2. $ AuditVerify -d . -n "CA Audit Signing Certificate" -a audit.txt 
Enter password for NSS FIPS 140-2 User Private Key

======
File: ca_audit
======
Line 1964: VERIFICATION FAILED: signature of ca_audit:1940 to ca_audit:1963
Line 1997: VERIFICATION FAILED: signature of ca_audit:1973 to ca_audit:1996
Line 2044: VERIFICATION FAILED: signature of ca_audit:2020 to ca_audit:2043
Line 2793: VERIFICATION FAILED: signature of ca_audit:2769 to ca_audit:2792

Verification process complete.
Valid signatures: 817
Invalid signatures: 4


Actual results:
AuditVerify tool got confused due to the line breaks and failed.

Expected results:
AuditVerify should be successful.

Additional info:
Comment 2 Asha Akkiangady 2018-04-27 01:52:35 UTC 
Audit log entry right before the failed one is AuditEvent=CONFIG_ROLE, which contains a b64 cert that's got line breaks and confused the AuditVerify tool.
Comment 3 Matthew Harmsen 2018-04-27 02:22:21 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage:  7.5.z

cfu: required for CC
Comment 6 Christina Fu 2018-06-25 18:22:15 UTC 
Notes:
Investigation shows that issue reported was caused by running the following cli:
 pki -d /root/.dogtag/rhqa_pki/certs_db  -n "PKI CA Administrator for Non-TMS-CA" -c <password> -h `hostname` -p 8080 ca-user-cert-add CAadminV --input  /root/.dogtag/rhqa_pki/certs_db/CAadminV.pem

For comparison, I performed the same operation through the java console and did not have the same issue:
[AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;certs+Operation;;OP_ADD+Resource;;caaudit+cert;;-----BEGIN CERTIFICATE-----MIIB/TCCAaOgAwIBAgIBFjAKBggqhkjOPQQDAjBZMRowGAYDVQQKDBFwa2ktY2EtMDUzMGVjLWNmdTEaMBgGA1UECwwRcGtpLWNhLTA1MzBlYy1jZnUxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTgwNjA3MDA1NTIzWhcNMTgxMjA0MDE1NTIzWjAUMRIwEAYDVQQDDAljYWF1ZGl0b3IwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATU3WhvDYIE8vHNuG7zoFRHoAZCsg1e4592bf2B1zI0JGzmO/3iADL4m3+oisg2g1/xXYpqMBk3b66TcmbK6rFoo4GgMIGdMB8GA1UdIwQYMBaAFAxZCqNzcGTmNBBE0NZrzHKIh3+aMEsGCCsGAQUFBwEBBD8wPTA7BggrBgEFBQcwAYYvaHR0cDovL2RoY3AtMTYtMTE5LnNqYy5yZWRoYXQuY29tOjE4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgPYMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAKBggqhkjOPQQDAgNIADBFAiEAr8EaOsJ7Js3G8vcmOqDGWeg0oFP1rGJiYgvn3dragQwCIEEKkYN61qFEaCk2KuaLOpsNnCFlpFeFu6aWoZoYJU8v-----END CERTIFICATE-----] role configuration parameter(s) change
Comment 7 Christina Fu 2018-06-26 16:53:48 UTC 
https://review.gerrithub.io/c/dogtagpki/pki/+/416765


commit e3c0a58596d969d0fe4a25b8ad087bc3f1cf1462 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu.redhat.com>
Date:   Mon Jun 25 18:38:20 2018 -0700

    Ticket 3003 AuditVerify failure due to line breaks
    
    This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks
    in audit entry from running pki ca-user-cert-add which would cause AuditVerify
    to fail. (note: adding user cert via the java console does not have such issue)
    
    fixes https://pagure.io/dogtagpki/issue/3003
    
    Change-Id: Iac60089349e78755ff94ce3231ee294ce8668f72
Comment 10 Roshni 2018-07-30 15:28:42 UTC 
[root@nocp1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.5.9
Release     : 3.el7
Architecture: noarch
Install Date: Thu 26 Jul 2018 10:45:40 AM EDT
Group       : System Environment/Daemons
Size        : 2451202
License     : GPLv2
Signature   : RSA/SHA256, Mon 23 Jul 2018 07:23:55 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.5.9-3.el7.src.rpm
Build Date  : Mon 23 Jul 2018 07:10:18 PM EDT
Build Host  : ppc-042.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Verification steps in https://bugzilla.redhat.com/show_bug.cgi?id=1595606#c5 and https://bugzilla.redhat.com/show_bug.cgi?id=1595606#c7
Comment 12 errata-xmlrpc 2018-10-30 11:07:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195
Note You need to log in before you can comment on or make changes to this bug.