Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 440989

Summary: [SECURITY] CMC authorization check not done by default
Product: [Retired] Dogtag Certificate System Reporter: Christina Fu <cfu>
Component: AuthorizationAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: benl
Target Milestone: 1.0   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:28:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
added authorization to default CMC enrollment profile. Added error output. none

Description Christina Fu 2008-04-04 20:19:26 UTC 
Description of problem:
By default, the authorization check is not done for Signed CMC-Authenticated
User certificate enrollment.
A non-agent user that has an entry in the user db (e.g. a non-agent
administrator, or an auditor, or simply a user that was stripped of agent
privilege but account was left in the db) with his cert, then the user is
allowed to sign a CMC request and gets automatic approval.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. generate a user cert
2. add a user, add him to a non-agent group, like, say "Auditors." (or just
leave it with no group.
3. add the user's cert to the user
4. user the user's cet to sign a CMC cert.
5. paste it into the "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form.
6. You will get a successful enrollment (and that's bad)
  
Actual results:


Expected results:
should get an authorization error

Additional info:
Comment 1 Christina Fu 2008-04-04 20:41:14 UTC 
Created attachment 301334 [details]
added authorization to default CMC enrollment profile. Added error output.

pending peer code review
Comment 2 Andrew Wnuk 2008-04-04 21:10:41 UTC 
id: 301334 awnuk+
Comment 3 Christina Fu 2008-04-04 21:13:44 UTC 
[cfu@jaw pki]$ svn status | grep -v ^$ | grep -v ^P | grep -v ^X
M      linux/common/pki-common.spec
M      base/ca/shared/profiles/ca/caCMCUserCert.cfg
M      base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
[cfu@jaw pki]$ svn commit
Sending        base/ca/shared/profiles/ca/caCMCUserCert.cfg
Sending       
base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
Sending        linux/common/pki-common.spec
Transmitting file data ...
Committed revision 17.
Comment 5 Kashyap Chamarthy 2009-06-22 10:22:54 UTC 
Verified.(June-18-09 build). Signed a csr request with a user added to "Auditors" group and then generated a CMC request using CMCEnroll as below 

-----------
CMCEnroll -d "/home/user1/.mozilla/firefox/po7qy4w7.default/" -n "guser1's csdomain ID" -r "/root/certreq.txt" -p netscape
-----------
And then pasted the output to "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form"

Result - "Authorization Error"