Bug 506305 - revoking user certs fail from the RA due to nonces changes
revoking user certs fail from the RA due to nonces changes
Product: Dogtag Certificate System
Classification: Community
Component: RA (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Andrew Wnuk
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2009-06-16 12:21 EDT by Ade Lee
Modified: 2015-01-05 20:16 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:36:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed fix (4.23 KB, patch)
2009-06-17 16:29 EDT, Andrew Wnuk
no flags Details | Diff

  None (edit)
Description Ade Lee 2009-06-16 12:21:41 EDT
Description of problem:
Revoking a user certificate from the RA fails due to recent nonces changes.
Setting ca.enableNonces=false on the CA allows the revocation to complete successfully.

In the CA log, we see the following:

[15/Jun/2009:23:27:22][http-9443-Processor24]: according to ccMode, authorization for servlet: caDoRevoke is LDAP based, not XML {1}, use default authz mgr: {2}.
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet:service() uri = /ca/agent/ca/doRevoke
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='revocationReason' value='6'
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='xml' value='true'
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='totalRecordCount' value='1'
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='revokeAll' value='(certRecordId=0x10)'
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='op' value='revoke'
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet: caDoRevoke start to service.
[15/Jun/2009:23:27:22][http-9443-Processor24]: IP:
[15/Jun/2009:23:27:22][http-9443-Processor24]: AuthMgrName: certUserDBAuthMgr
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet: retrieving SSL certificate
[15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet: certUID=CN=RA Subsystem Certificate,OU=pki-ra,O=oliver 0616 domain
[15/Jun/2009:23:27:22][http-9443-Processor24]: CertUserDBAuth: started
[15/Jun/2009:23:27:22][http-9443-Processor24]: CertUserDBAuth: Retrieving client certificate
[15/Jun/2009:23:27:22][http-9443-Processor24]: CertUserDBAuth: Got client certificate
[15/Jun/2009:23:27:22][http-9443-Processor24]: Authentication: client certificate found
[15/Jun/2009:23:27:22][http-9443-Processor24]: getConn: mNumConns now 2
[15/Jun/2009:23:27:23][http-9443-Processor24]: returnConn: mNumConns now 3
[15/Jun/2009:23:27:23][http-9443-Processor24]: Authentication: mapped certificate to user
[15/Jun/2009:23:27:23][http-9443-Processor24]: authenticated uid=RA-oliver.dsdev.sjc.redhat.com-12889,ou=People,dc=oliver.dsdev.sjc.redhat.com-pki-ca
[15/Jun/2009:23:27:23][http-9443-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=RA-oliver.dsdev.sjc.redhat.com-12889][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success

[15/Jun/2009:23:27:23][http-9443-Processor24]: DoRevoke:  Missing nonce
[15/Jun/2009:23:27:23][http-9443-Processor24]: DoRevoke:  nonceVerified=false

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Andrew Wnuk 2009-06-17 16:29:41 EDT
Created attachment 348341 [details]
proposed fix
Comment 2 Matthew Harmsen 2009-06-17 16:33:42 EDT
attachment (id=348341) +mharmsen
Comment 3 Andrew Wnuk 2009-06-17 16:42:51 EDT
svn commit pki/dogtag/common/pki-common.spec                           
Sending        pki/dogtag/common/pki-common.spec
Transmitting file data .
Committed revision 623.

svn commit pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java                          
Sending        pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java
Transmitting file data .
Committed revision 624.
Comment 4 Kashyap Chamarthy 2009-06-21 11:27:09 EDT
Verified. Able to revoke certificates in RA successfully

with build(18-june-09)
[root@pkiserv ~]# rpm -qi pki-ra | grep -i build
Release     : 20.beta                       Build Date: Thu 18 Jun 2009 01:18:31 PM IST
Install Date: Thu 18 Jun 2009 08:15:11 PM IST      Build Host: heath.dsdev.sjc.redhat.com

Note You need to log in before you can comment on or make changes to this bug.