Bug 440989 - [SECURITY] CMC authorization check not done by default
Summary: [SECURITY] CMC authorization check not done by default
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Authorization
Version: 1.0
Hardware: All
OS: Linux
high
medium
Target Milestone: 1.0
Assignee: Christina Fu
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2008-04-04 20:19 UTC by Christina Fu
Modified: 2015-01-06 01:19 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2009-07-22 23:28:18 UTC


Attachments (Terms of Use)
added authorization to default CMC enrollment profile. Added error output. (2.57 KB, text/plain)
2008-04-04 20:41 UTC, Christina Fu
no flags Details

Description Christina Fu 2008-04-04 20:19:26 UTC
Description of problem:
By default, the authorization check is not done for Signed CMC-Authenticated
User certificate enrollment.
A non-agent user that has an entry in the user db (e.g. a non-agent
administrator, or an auditor, or simply a user that was stripped of agent
privilege but account was left in the db) with his cert, then the user is
allowed to sign a CMC request and gets automatic approval.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. generate a user cert
2. add a user, add him to a non-agent group, like, say "Auditors." (or just
leave it with no group.
3. add the user's cert to the user
4. user the user's cet to sign a CMC cert.
5. paste it into the "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form.
6. You will get a successful enrollment (and that's bad)
  
Actual results:


Expected results:
should get an authorization error

Additional info:

Comment 1 Christina Fu 2008-04-04 20:41:14 UTC
Created attachment 301334 [details]
added authorization to default CMC enrollment profile. Added error output.

pending peer code review

Comment 2 Andrew Wnuk 2008-04-04 21:10:41 UTC
id: 301334 awnuk+

Comment 3 Christina Fu 2008-04-04 21:13:44 UTC
[cfu@jaw pki]$ svn status | grep -v ^$ | grep -v ^P | grep -v ^X
M      linux/common/pki-common.spec
M      base/ca/shared/profiles/ca/caCMCUserCert.cfg
M      base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
[cfu@jaw pki]$ svn commit
Sending        base/ca/shared/profiles/ca/caCMCUserCert.cfg
Sending       
base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
Sending        linux/common/pki-common.spec
Transmitting file data ...
Committed revision 17.


Comment 5 Kashyap Chamarthy 2009-06-22 10:22:54 UTC
Verified.(June-18-09 build). Signed a csr request with a user added to "Auditors" group and then generated a CMC request using CMCEnroll as below 

-----------
CMCEnroll -d "/home/user1/.mozilla/firefox/po7qy4w7.default/" -n "guser1's csdomain ID" -r "/root/certreq.txt" -p netscape
-----------
And then pasted the output to "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form"

Result - "Authorization Error"


Note You need to log in before you can comment on or make changes to this bug.