Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser.
CS 8.0 -- Have to download and stall the trust chain through ESC even if it ...
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: ESC (Show other bugs)
1.1
All Windows
high Severity medium
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2009-04-27 17:49 EDT by Sean Veale
Modified: 2015-01-04 18:38 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 16:02:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
ESC portion of patch to address issue (3.20 KB, patch)
2010-08-17 17:52 EDT, Jack Magne
no flags Details | Diff
New ESC file for this issue. (1.94 KB, application/xml)
2010-08-17 17:54 EDT, Jack Magne
no flags Details
TPS portion of fix to issue. (452 bytes, patch)
2010-08-17 18:10 EDT, Jack Magne
no flags Details | Diff
New TPS file for this issue. (1.60 KB, text/plain)
2010-08-17 18:12 EDT, Jack Magne
no flags Details
Makefile changes for TPS portion of fix. (1.30 KB, patch)
2010-08-17 18:56 EDT, Jack Magne
no flags Details | Diff
ESC Windows Installer fix for this issue. (4.24 KB, patch)
2010-08-19 20:47 EDT, Jack Magne
no flags Details | Diff

  None (edit)
Description Sean Veale 2009-04-27 17:49:38 EDT
Description of problem:
CS 8.0  -- Have to download and stall the trust chain through ESC even if it was already installed in the browser.  This will make it annoying to say the least for anyone deploying this application to a large user base.  It would be much better if it could use the trust chain imported already into the browser instead of having it's own copy.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Marc Sauton 2009-08-19 14:16:58 EDT
That would be a RFE:
FF and ESC are 2 different applications that use their own NSS database.
On Linux, ESC uses ~/.redhat/esc/<string>.<profile-name>/ for its NSS database path.
FF uses ~/.mozilla/firefox/<string>.<profile-name>/
Comment 5 Jack Magne 2010-08-17 17:52:17 EDT
Created attachment 439220 [details]
ESC portion of patch to address issue
Comment 6 Jack Magne 2010-08-17 17:54:20 EDT
Created attachment 439222 [details]
New ESC file for this issue.
Comment 7 Jack Magne 2010-08-17 18:10:26 EDT
Created attachment 439227 [details]
TPS portion of fix to issue.
Comment 8 Jack Magne 2010-08-17 18:12:16 EDT
Created attachment 439228 [details]
New TPS file for this issue.
Comment 9 Jack Magne 2010-08-17 18:56:54 EDT
Created attachment 439241 [details]
Makefile changes for TPS portion of fix.
Comment 10 Jack Magne 2010-08-19 20:47:14 EDT
Created attachment 439829 [details]
ESC Windows Installer fix for this issue.

This patch provides enhancement to the ESC Windows Installer to make it easier to change ESC's configuration parameters at install time through simple command line parameters.
Comment 11 Jack Magne 2010-08-19 21:18:31 EDT
The addressing if this issue will come in a two way approach:

1. Provide a relatively simple means by which the user of ESC can be given the chance to download and install the CA Certificate Trust Chain.

- TPS will support an optional URL value to be sent back to the client during it's phone home process. This URL will then allow the client to be passed through to the CA's facility to download and trust the CA Cert chain. The optional change to the file "/usr/lib/pki-tps/cgi-bin/home/index.cgi will look like as follows:

print "Content-type: text/xml\n\n";
print "<\?xml version=\"1.0\" encoding=\"UTF-8\"\?>";
print "<ServiceInfo>";
print "<IssuerName>";
print "Fedora Project";   # Vendor
print "</IssuerName>\n";
print "<Services>";
print "<Operation>";
print "http://test.host.com:7888/nk_service";
print "</Operation>";
print "<UI>";
print "http://test.host.com:7888/cgi-bin/home/enroll.cgi";
print "</UI>";
print "<EnrolledTokenBrowserURL>";
print "http://www.fedora.redhat.com";   # Company URL
print "</EnrolledTokenBrowserURL>";
print "<EnrolledTokenURL>";
print "</EnrolledTokenURL>";
print "<TokenType>";
print "userKey";
print "</TokenType>";
#print "<CAChainUI>";
#print "http://test.host.com:7888/cgi-bin/home/cachain.cgi";
#print "</CAChainUI>";
print "</Services>";
print "</ServiceInfo>";

The commented out lines above can be activated so the latest ESC can obtain the URL and make use of it. Note the http port must be used or ESC can not even get to the new URL.

- A new cgi perl script called "cachain.cgi" will be there to actually make sure the client gets access to the CA's servlet that downloads and trusts the cert chain.

2. The esc client already supports the following preference:

esc.global.alt.nss.db=<path to another db to trust>

- This allows the user of ESC to take advantage to all the cert trust relationships already contained in this alternate NSS database. This has already been used in the field.

- The simple improvement here is that now the Windwos ESC installer will support a means to accept custom command line switches as follows:

./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db

- Note that this command line switch can be used multiple times with different values to set other ESC perferences.

- The end result is once ESC is intalled on the Windows system, the file "esc/defaults/preferences/esc-prefs.js will have the desired values set as requested by the command line parameters discussed above.

- Usage Example:

./SmartCardManagerSetup-1.1.0-11.win32.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db /EscConfig=esc.test.boolean.pref=fals
Comment 13 Jack Magne 2010-08-20 19:08:04 EDT
Checkins ESC:

Checking in setup.iss;
/cvs/dirsec/esc/win32/setup.iss,v  <--  setup.iss
new revision: 1.16; previous revision: 1.15
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.

Checking in src/app/xul/esc/chrome/content/esc/ESC.js;
/cvs/dirsec/esc/src/app/xul/esc/chrome/content/esc/ESC.js,v  <--  ESC.js
new revision: 1.33; previous revision: 1.32
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Checking in src/app/xul/esc/chrome/locale/en-US/esc.dtd;
/cvs/dirsec/esc/src/app/xul/esc/chrome/locale/en-US/esc.dtd,v  <--  esc.dtd
new revision: 1.8; previous revision: 1.7
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Checking in src/app/xul/esc/defaults/preferences/esc-prefs.js;
/cvs/dirsec/esc/src/app/xul/esc/defaults/preferences/esc-prefs.js,v  <--  esc-pr
efs.js
new revision: 1.8; previous revision: 1.7
done
Running syncmail...
Checking in getcachain.xul;
/cvs/dirsec/esc/src/app/xul/esc/chrome/content/esc/getcachain.xul,v  <--  getcac
hain.xul
initial revision: 1.1
done
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Comment 14 Jack Magne 2010-08-20 19:56:05 EDT
Checkins: TPS:

Branch:

svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser."
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Sending        base/tps/Makefile.am
Sending        base/tps/Makefile.in
Adding         base/tps/forms/esc/cgi-bin/home/cachain.cgi
Sending        base/tps/forms/esc/cgi-bin/home/index.cgi
Transmitting file data ....
Committed revision 1234.

Trunk:

svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser." Makefile.am Makefile.in

Sending        Makefile.am
Sending        Makefile.in
Transmitting file data ..
Committed revision 1235.

svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser."
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Adding         forms/esc/cgi-bin/home/cachain.cgi
Sending        forms/esc/cgi-bin/home/index.cgi
Transmitting file data ..
Committed revision 1236.
Comment 15 Jack Magne 2010-08-20 20:38:48 EDT
Feature can be tested with the next build of TPS and the next Windows build of ESC.
Comment 16 Asha Akkiangady 2011-05-12 13:42:43 EDT
Tested case #1 in the comment 11 on a Win XP 32 machine with ESC-1.1.0-12. Burning a phone home url throws error "The file chrome://esc/content/getchain.xul cannot be found. Please check the location and try again".

Jack looked into the issue, the file is missing - need a ESC build respin with this fix.
Comment 17 Jack Magne 2011-05-13 12:35:36 EDT
Local respin confirmed the simple problem. Official bits on the way.
Comment 18 Jack Magne 2011-05-16 20:37:02 EDT
Latest build addresses this.
Comment 19 Asha Akkiangady 2011-05-19 16:58:54 EDT
Tested with ESC-1.1.0-13 on a Win XP 64 bit machine.
-Configured /usr/lib/pki-tps/cgi-bin/home/index.cgi to include cachain.cgi, CA Certificate Trust Chain is download and can be trusted during phone home process.

-Tested esc-prefs.js file with esc.global.alt.nss.db=<path to another db to trust>, certificate trust is populated successfully in ESC.

-Tested ESC installation with command line switches, 
./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db /EscConfig=esc.test.boolean.pref=false

This does not populate certificate and trust into ESC security database. 

Certificate and the trust is populated only when the path to nss db has forward slash like this:
./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:/common-nss-db

Verified that command line switch used multiple times with different
values sets the values correctly in esc/defaults/preferences/esc-prefs.js.

Marking the bug verified.

Note You need to log in before you can comment on or make changes to this bug.