Bug 440989 - [SECURITY] CMC authorization check not done by default
[SECURITY] CMC authorization check not done by default
Product: Dogtag Certificate System
Classification: Community
Component: Authorization (Show other bugs)
All Linux
high Severity medium
: 1.0
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2008-04-04 16:19 EDT by Christina Fu
Modified: 2015-01-05 20:19 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:28:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
added authorization to default CMC enrollment profile. Added error output. (2.57 KB, text/plain)
2008-04-04 16:41 EDT, Christina Fu
no flags Details

  None (edit)
Description Christina Fu 2008-04-04 16:19:26 EDT
Description of problem:
By default, the authorization check is not done for Signed CMC-Authenticated
User certificate enrollment.
A non-agent user that has an entry in the user db (e.g. a non-agent
administrator, or an auditor, or simply a user that was stripped of agent
privilege but account was left in the db) with his cert, then the user is
allowed to sign a CMC request and gets automatic approval.

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. generate a user cert
2. add a user, add him to a non-agent group, like, say "Auditors." (or just
leave it with no group.
3. add the user's cert to the user
4. user the user's cet to sign a CMC cert.
5. paste it into the "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form.
6. You will get a successful enrollment (and that's bad)
Actual results:

Expected results:
should get an authorization error

Additional info:
Comment 1 Christina Fu 2008-04-04 16:41:14 EDT
Created attachment 301334 [details]
added authorization to default CMC enrollment profile. Added error output.

pending peer code review
Comment 2 Andrew Wnuk 2008-04-04 17:10:41 EDT
id: 301334 awnuk+
Comment 3 Christina Fu 2008-04-04 17:13:44 EDT
[cfu@jaw pki]$ svn status | grep -v ^$ | grep -v ^P | grep -v ^X
M      linux/common/pki-common.spec
M      base/ca/shared/profiles/ca/caCMCUserCert.cfg
M      base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
[cfu@jaw pki]$ svn commit
Sending        base/ca/shared/profiles/ca/caCMCUserCert.cfg
Sending        linux/common/pki-common.spec
Transmitting file data ...
Committed revision 17.
Comment 5 Kashyap Chamarthy 2009-06-22 06:22:54 EDT
Verified.(June-18-09 build). Signed a csr request with a user added to "Auditors" group and then generated a CMC request using CMCEnroll as below 

CMCEnroll -d "/home/user1/.mozilla/firefox/po7qy4w7.default/" -n "guser1's csdomain ID" -r "/root/certreq.txt" -p netscape
And then pasted the output to "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form"

Result - "Authorization Error"

Note You need to log in before you can comment on or make changes to this bug.