Description of problem: By default, the authorization check is not done for Signed CMC-Authenticated User certificate enrollment. A non-agent user that has an entry in the user db (e.g. a non-agent administrator, or an auditor, or simply a user that was stripped of agent privilege but account was left in the db) with his cert, then the user is allowed to sign a CMC request and gets automatic approval. Version-Release number of selected component (if applicable): How reproducible: every time Steps to Reproduce: 1. generate a user cert 2. add a user, add him to a non-agent group, like, say "Auditors." (or just leave it with no group. 3. add the user's cert to the user 4. user the user's cet to sign a CMC cert. 5. paste it into the "Signed CMC-Authenticated user Certificate Enrollment Cert Request Input form. 6. You will get a successful enrollment (and that's bad) Actual results: Expected results: should get an authorization error Additional info:
Created attachment 301334 [details] added authorization to default CMC enrollment profile. Added error output. pending peer code review
id: 301334 awnuk+
[cfu@jaw pki]$ svn status | grep -v ^$ | grep -v ^P | grep -v ^X M linux/common/pki-common.spec M base/ca/shared/profiles/ca/caCMCUserCert.cfg M base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java [cfu@jaw pki]$ svn commit Sending base/ca/shared/profiles/ca/caCMCUserCert.cfg Sending base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java Sending linux/common/pki-common.spec Transmitting file data ... Committed revision 17.
Verified.(June-18-09 build). Signed a csr request with a user added to "Auditors" group and then generated a CMC request using CMCEnroll as below ----------- CMCEnroll -d "/home/user1/.mozilla/firefox/po7qy4w7.default/" -n "guser1's csdomain ID" -r "/root/certreq.txt" -p netscape ----------- And then pasted the output to "Signed CMC-Authenticated user Certificate Enrollment Cert Request Input form" Result - "Authorization Error"