Description of problem: "Signed CMC-Authenticated User Certificate Enrollment" fails with Authorization error ("group evaluation") How reproducible: Always Steps to Reproduce: (1) Firstly to enable CMC enrollment, edit the /var/lib/pki-ca/web-apps/ca/ee/ca/CMCEnrollment.html file as below. Find the following line: form method="post" action="/enrollment" onSubmit="return validate(document.forms[0])" and add the below line and save it. input type="hidden" name="authenticator" value="CMCAuth" (2) then generate a cert request as below # certutil -R -s "cn=testuser35, O=someorg, L=pune, ST=Mah, C=In" -p "9357" -o mcert35.req -d /home/test/.mozilla/firefox/q9v5msej.default/ (3) then convert the binary request to ascii # BtoA mcert35.req mcert35.req.txt (4) Now, run the CMCEnroll command to sign the certificate request as below # CMCEnroll -d /home/test/.mozilla/firefox/q9v5msej.default/ -n "CA Administrator of Instance pki-ca's PnqRedhat Domain ID" -r mcert35.req.txt -p netscape (5) Now use the "Signed CMC-Authenticated User Certificate Enrollment" and copy paste the output content from step(4) except the Begin/End headers, and submit the request. Actual results: An error "Sorry, your request is not submitted. the reason is "Authorization Error" Expected results: CMC Enrollment should be successful Log Info: CA debug log [...] [27/May/2009:15:40:25][http-9444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Success][ReqType=enrollment][CertSubject=CN=testuser35,O=someorg,L=pune,ST=Mah,C=In][SignerInfo=CA Administrator of Instance pki-ca] agent pre-approved CMC request signature verification [27/May/2009:15:40:25][http-9444-Processor25]: ProfileSubmitServlet authToken not null [27/May/2009:15:40:25][http-9444-Processor25]: ProfileSubmitServlet: authz using acl: group="Certificate Manager Agents" [27/May/2009:15:40:25][http-9444-Processor25]: evaluating expressions: group="Certificate Manager Agents" [27/May/2009:15:40:25][http-9444-Processor25]: getConn: mNumConns now 2 [27/May/2009:15:40:25][http-9444-Processor25]: returnConn: mNumConns now 3 [27/May/2009:15:40:25][http-9444-Processor25]: evaluated expression: group="Certificate Manager Agents" to be false [27/May/2009:15:40:25][http-9444-Processor25]: ProfileSubmitServlet authorize: Authorization failed on resource: group="Certificate Manager Agents", operation: {1} [27/May/2009:15:40:25][http-9444-Processor25]: CMSServlet: curDate=Wed May 27 15:40:25 IST 2009 id=caProfileSubmit time=17 [...]
Created attachment 345619 [details] ca debug log during the CMC-authenticated user cert enrollment
Re-assigning to cfu per CS meeting of 6/1/2009.
Created attachment 346595 [details] usrid contains the uid for CMCAuth, the userid contains the uid, and uid contains the cn. Renewal works with this cert too.
attachment (id=346595) +awnuk
[cfu@jaw common]$ pwd /home/cfu/dogtag/src0/pki/base/common [cfu@jaw common]$ svn commit src/com/netscape/cms/evaluators Sending src/com/netscape/cms/evaluators/GroupAccessEvaluator.java Transmitting file data . Committed revision 551.
[cfu@jaw common]$ svn commit pki-common.spec Sending pki-common.spec Transmitting file data . Committed revision 552.
I tried with June-8th-2008 build. But still see the same error. <snip> [08/Jun/2009:06:59:04][http-9580-Processor19]: evaluated expression: group="Certificate Manager Agents" to be false [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet authorize: Authorization failed on resource: group="Certificate Manager Agents", operation: {1} </snip> Please let me know if I'm missing on anything. -------------------------------------------------------------- [root@tel53 logs]# tail -100 /var/lib/pki-ca/logs/debug [08/Jun/2009:06:59:04][http-9580-Processor19]: CMSServlet: caProfileSubmit start to service. [08/Jun/2009:06:59:04][http-9580-Processor19]: xmlOutput false [08/Jun/2009:06:59:04][http-9580-Processor19]: Start of ProfileSubmitServlet Input Parameters [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter cert_request='MIIKWQYJKoZIhvcNAQcCoIIKSjCCCkYCAQMxCzAJBgUrDgMCGgUAMIICDQYIKwYB BQUHDAKgggH/BIIB+zCCAfcwUjAtAgECBggrBgEFBQcHBjEeBBxBWFIvWVhUVkhK S2JhdHlEUVE0NWs1R2RwazA9MCECAQMGCCsGAQUFBwcFMRICECehLatBr0Lwv3em 0eqL44cwggGboIIBlwIBATCCAZAwgfoCAQAwUTELMAkGA1UEBhMCSW4xDDAKBgNV BAgTA01haDENMAsGA1UEBxMEcHVuZTEQMA4GA1UEChMHc29tZW9yZzETMBEGA1UE AxMKdGVzdHVzZXIzNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsmZ/gXHB EAomHDXpi+xChW4ZQH4DTPtzqPZstWvGOVSo8ieb7qZqFyTLTIrSh8LFLshiSVVC 9X6y+uwyD7E3T4bqdEQS0cCAZJFL0XfFJi4RmkGSQyTIqu0YZKE6j7iXJZpg7Nwj ntmQvKHu8fjVXEgaxHI2pqPpPl/eWQ+H7/0CAwEAAaAAMA0GCSqGSIb3DQEBBQUA A4GBAHNs+tsn6Sk+XSzzOnfGK3pXd/JCLVz1OLsORnqduBX1wlPlyBsjgmwHQb2m 5aJw32iGCwtCNSg0WXBSryi4Hv5tHeoziVJ/Y0wT0wD4PGUYZmb8f1xQglcgBzDN z1yIBc0qlQQq9iZ91tPEfhMIfazVGdfjF0G11dWuVga76B83MAAwAKCCBvcwggNT MIICO6ADAgECAgEGMA0GCSqGSIb3DQEBBQUAMDsxGTAXBgNVBAoTEFBucVJlZGhh dCBEb21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTA2 MDcyMjQwMTJaFw0xMTA1MjgyMjQwMTJaMIGGMRkwFwYDVQQKExBQbnFSZWRoYXQg RG9tYWluMSQwIgYJKoZIhvcNAQkBFhVwa2ktY2EtYWRtaW5AdGVzdC5jb20xFTAT BgoJkiaJk/IsZAEBEwVhZG1pbjEsMCoGA1UEAxMjQ0EgQWRtaW5pc3RyYXRvciBv ZiBJbnN0YW5jZSBwa2ktY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALSc 7KqDzP9yXqCg0cveq1+fRjT3ihO8vRIp1qQ5TCj432HDvvOBPm6IdGfbUPRYMi7y 4MF3fxlppsaJMVgi3XhycXPY2bOrkVEQEQ+uU3QtcN6Pwr5D6wiQcFAV5eVS6x1O 1xxR6uo48wMs3JgOMiBphLLf4P66C/166ECyleFtAgMBAAGjgZkwgZYwHwYDVR0j BBgwFoAUWOtkP2PwXfuTdkuHNi29pQY5EtQwRAYIKwYBBQUHAQEEODA2MDQGCCsG AQUFBzABhihodHRwOi8vdGVsNTMucG5xLnJlZGhhdC5jb206OTU4MC9jYS9vY3Nw MA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQw DQYJKoZIhvcNAQEFBQADggEBAAXPNkKKnRqEizO4YeGH0QhRUfr9Pb88huGyb0ox x3v4iB9TAMDmiH7amkU6piUjiZs5SfqxD7r++Fer8NgrUeSodMps+PlZ9oHsRwWR iWr4BkUo6+izpcNtFWMDgw13vOxI3x+4ju6bmiIjawrAKTDghgEd+gUfBkRzlISx tofw/VOKjnJ4nC5S2ThkS3gCDDVRokeYgePiVc7ovK9t/ihvtTQDV1dl1wCYkTRc qo6rbmzIKjMwYSE2C/s6nVxx6bD4MNV3qY5puh9Zg90hQS+yhko6xqY63m2bcLjS UiWA5IzsR0eDw6bcjrzTWI/osPMyQaL/hA6WTf98gdCxl9owggOcMIIChKADAgEC AgEBMA0GCSqGSIb3DQEBBQUAMDsxGTAXBgNVBAoTEFBucVJlZGhhdCBEb21haW4x HjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTA2MDcyMjM5MTRa Fw0xMTA1MjgyMjM5MTRaMDsxGTAXBgNVBAoTEFBucVJlZGhhdCBEb21haW4xHjAc BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBANGOV5f8HNKFtuBZYcnze1oCDc/3pGBW9/9q/uRSoNy0LrkS 7/Q1wvIgcYc96/ukw935kzZFVp/azt7vycYrE/NjJ0QUbei1hL0aDAdaBpEvNRCC zqolDJSQGPkRpoKM4BpIgMJ2XsrD+y7jm8XHlrWC0edWfKNQxuV/jwyfaDS53BY3 MMuUrNkj573Vltn+jhycttjBb4zBGWLMvXWMnT9OU50fC3xmH8Fp3ZFHi6vng40R 9j8UAhHESE4EgFiw4LH6aX2w6H6FmA47JkfuPzf/65YofCceiEqe5yVBgbDaes2V hSsVfR/opk/U3Spiaf3HUplFSau2klUWS7fgUikCAwEAAaOBqjCBpzAfBgNVHSME GDAWgBRY62Q/Y/Bd+5N2S4c2Lb2lBjkS1DAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBxjAdBgNVHQ4EFgQUWOtkP2PwXfuTdkuHNi29pQY5EtQwRAYIKwYB BQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vdGVsNTMucG5xLnJlZGhhdC5j b206OTU4MC9jYS9vY3NwMA0GCSqGSIb3DQEBBQUAA4IBAQBcTitdYIKJKLT4qeX5 vw4OLkY2eQw4MKE/7bxI3EuUw6UgfkCKnpIybyarBL8gsolhNrrL+OQ/De+QpsFq EDDB9LGDvlb4GO+tM3GhzXC/7MGiXM1fBmydLNwHyKea6ISpRrFkr93a0FZXv4RE kseyvZ3mcypHIYvrK7F5mXv5H5V9sM7w3LY0EBuhoHkGC+r3U6QL7HVyEmj0tLoo FZHAt7uDwe1tDX1jK5xZ6r9/Ppr6TGaDi3jkzec+EbYB9kQ4hfjY/HCGWVQC0OHq 4O/HTq9Q7bTFwEom7F3jNtmOC5PrZbD/nJMJOcCTKEorVo4cDPVEgYdQRueNZSEr C2DmMYIBJjCCASICAQMwQDA7MRkwFwYDVQQKExBQbnFSZWRoYXQgRG9tYWluMR4w HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCAQYwCQYFKw4DAhoFAKA+MBcG CSqGSIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUDzBqznvpmRSe 8ee7aCFthjWrd1gwDQYJKoZIhvcNAQEBBQAEgYCZgyRskULzVtGV9NQOe0BpWL8F mpyc/q7PBG8JBdt8V5EkyaLxU27IOvwHy82HF62k84ysliS62hnJH2HBVeuc6SJF xlnusXBBfXcQk75R3m/MwEzTDS0PbJVTSEIwUM7i+8p9b4X8uXwY1RQsJRD5A9T5 hCp4IFu+j5qhVyuAcQ==' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter renewal='false' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter requestor_phone='2343243113' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter requestor_name='james' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter requestor_email='james' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter xmlOutput='false' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter profileId='caCMCUserCert' [08/Jun/2009:06:59:04][http-9580-Processor19]: End of ProfileSubmitServlet Input Parameters [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: start serving [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: SubId=profile [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: isRenewal false [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: profileId caCMCUserCert [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: authenticator CMCAuth found [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet:setCredentialsIntoContext() authNames not null [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet:setCredentialsIntoContext() authName:cert_request [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet:setCredentialsIntoContext() authName found in request [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmistServlet: set Inputs into profile Context [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: set sslClientCertProvider [08/Jun/2009:06:59:04][http-9580-Processor19]: CMCAuth: start checking signature [08/Jun/2009:06:59:04][http-9580-Processor19]: CMCAuth: verifying signature with public key [08/Jun/2009:06:59:04][http-9580-Processor19]: CMCAuth: finished checking signature [08/Jun/2009:06:59:04][http-9580-Processor19]: CertUserDBAuth: started [08/Jun/2009:06:59:04][http-9580-Processor19]: CertUserDBAuth: Retrieving client certificate [08/Jun/2009:06:59:04][http-9580-Processor19]: CertUserDBAuth: Got client certificate [08/Jun/2009:06:59:04][http-9580-Processor19]: getConn: mNumConns now 2 [08/Jun/2009:06:59:04][http-9580-Processor19]: returnConn: mNumConns now 3 [08/Jun/2009:06:59:04][http-9580-Processor19]: Authentication: client certificate found [08/Jun/2009:06:59:04][http-9580-Processor19]: getConn: mNumConns now 2 [08/Jun/2009:06:59:04][http-9580-Processor19]: returnConn: mNumConns now 3 [08/Jun/2009:06:59:04][http-9580-Processor19]: Authentication: mapped certificate to user [08/Jun/2009:06:59:04][http-9580-Processor19]: authenticated uid=admin,ou=People,dc=tel53.pnq.redhat.com-pki-ca-te [08/Jun/2009:06:59:04][http-9580-Processor19]: CMCAuth: in PKCS10 [08/Jun/2009:06:59:04][http-9580-Processor19]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Success][ReqType=enrollment][CertSubject=CN=testuser35,O=someorg,L=pune,ST=Mah,C=In][SignerInfo=CA Administrator of Instance pki-ca] agent pre-approved CMC request signature verification [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet authToken not null [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: authz using acl: group="Certificate Manager Agents" [08/Jun/2009:06:59:04][http-9580-Processor19]: evaluating expressions: group="Certificate Manager Agents" [08/Jun/2009:06:59:04][http-9580-Processor19]: getConn: mNumConns now 2 [08/Jun/2009:06:59:04][http-9580-Processor19]: returnConn: mNumConns now 3 [08/Jun/2009:06:59:04][http-9580-Processor19]: evaluated expression: group="Certificate Manager Agents" to be false [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet authorize: Authorization failed on resource: group="Certificate Manager Agents", operation: {1} [08/Jun/2009:06:59:04][http-9580-Processor19]: CMSServlet: curDate=Mon Jun 08 06:59:04 GMT+05:30 2009 id=caProfileSubmit time=30 --------------------------------------------------------------------
you don't seem to have the build containing my fix. Did the build system actually pick up the fix?
Verified. CMC Enrolment works perfect the new fix(June-8th-build).