Bug 440989 – [SECURITY] CMC authorization check not done by default

Bug 440989 - [SECURITY] CMC authorization check not done by default

Summary:	[SECURITY] CMC authorization check not done by default

Status:	CLOSED ERRATA

Aliases:	None

Product:	Dogtag Certificate System
Classification:	Community
Component:	Authorization (Show other bugs)
Sub Component:
Version:	1.0
Hardware:	All Linux

Priority	high Severity medium
Target Milestone:	1.0
Target Release:	---
Assigned To:	Christina Fu
QA Contact:	Chandrasekar Kannan
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	443788
	Show dependency tree / graph

Reported:	2008-04-04 16:19 EDT by Christina Fu
Modified:	2015-01-05 20:19 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2009-07-22 19:28:18 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
added authorization to default CMC enrollment profile. Added error output. (2.57 KB, text/plain) 2008-04-04 16:41 EDT, Christina Fu	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Christina Fu 2008-04-04 16:19:26 EDT

Description of problem:
By default, the authorization check is not done for Signed CMC-Authenticated
User certificate enrollment.
A non-agent user that has an entry in the user db (e.g. a non-agent
administrator, or an auditor, or simply a user that was stripped of agent
privilege but account was left in the db) with his cert, then the user is
allowed to sign a CMC request and gets automatic approval.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. generate a user cert
2. add a user, add him to a non-agent group, like, say "Auditors." (or just
leave it with no group.
3. add the user's cert to the user
4. user the user's cet to sign a CMC cert.
5. paste it into the "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form.
6. You will get a successful enrollment (and that's bad)
  
Actual results:


Expected results:
should get an authorization error

Additional info:

Comment 1 Christina Fu 2008-04-04 16:41:14 EDT

Created attachment 301334 [details]
added authorization to default CMC enrollment profile. Added error output.

pending peer code review

Comment 2 Andrew Wnuk 2008-04-04 17:10:41 EDT

id: 301334 awnuk+

Comment 3 Christina Fu 2008-04-04 17:13:44 EDT

[cfu@jaw pki]$ svn status | grep -v ^$ | grep -v ^P | grep -v ^X
M      linux/common/pki-common.spec
M      base/ca/shared/profiles/ca/caCMCUserCert.cfg
M      base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
[cfu@jaw pki]$ svn commit
Sending        base/ca/shared/profiles/ca/caCMCUserCert.cfg
Sending       
base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
Sending        linux/common/pki-common.spec
Transmitting file data ...
Committed revision 17.

Comment 5 Kashyap Chamarthy 2009-06-22 06:22:54 EDT

Verified.(June-18-09 build). Signed a csr request with a user added to "Auditors" group and then generated a CMC request using CMCEnroll as below 

-----------
CMCEnroll -d "/home/user1/.mozilla/firefox/po7qy4w7.default/" -n "guser1's csdomain ID" -r "/root/certreq.txt" -p netscape
-----------
And then pasted the output to "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form"

Result - "Authorization Error"

Note You need to log in before you can comment on or make changes to this bug.