Bug 688229 - certmonger accepts a non-existent pin file for NSS db(with empty passwd) when '-p' option is supplied to 'ipa-getcert request'
Summary: certmonger accepts a non-existent pin file for NSS db(with empty passwd) when...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: certmonger
Version: 6.0
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-16 15:49 UTC by Kashyap Chamarthy
Modified: 2011-05-19 13:07 UTC (History)
4 users (show)

Fixed In Version: certmonger-0.38-1.el6
Doc Type: Bug Fix
Doc Text:
The certmonger service accepted a non-existent PIN (Personal Identification Number) file for the NSS (Network Security Services) database if the user ran the ipa-getcert request command with the -p option. This occurred because certmonger failed to detect reading errors in the file with the PIN and proceeded with an empty PIN value. With this update, such reading errors are logged and certmonger proceeded as if it had read an empty PIN value.
Clone Of:
Environment:
Last Closed: 2011-05-19 13:07:19 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0570 0 normal SHIPPED_LIVE certmonger bug fix and enhancement update 2011-05-19 09:37:40 UTC

Description Kashyap Chamarthy 2011-03-16 15:49:12 UTC 
Description:

When NSS database password is null, and a non-existent pin file is passed to '-p' option, and certmonger successfully accesses the NSS db(with an empty password) to generate a CSR

Notes from Nalin:
-----------------
When certmonger can't read the PIN, it appears to be falling
through and trying to access the database with an empty password
(successfully), but any attempts to access when we don't know the PIN
can be a problem if we're interfacing with a hardware token, where
enough failed login attempts can cause the token to self-destruct.



Steps to reproduce and actual result:
############################################
 when NSS database password is null and an invalid password file is
provided along with certmonger debug level set to 1

(a)Creating the NSS database with null password

[root@jupiter test1]# certutil -N -d /tmp/kaleem/test1/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
[root@jupiter test1]#

(b)Generating the certificate

[root@jupiter test1]# ipa-getcert request -d /tmp/kaleem/test1/ -n test1 -r -p
/tmp/kaleem/test1/passwordfile
New signing request "20110314105455" added.
[root@jupiter test1]#

(c)Certmonger's debug output

[root@jupiter ~]# certmonger -S -d 1
2011-03-14 16:24:55 [4530] Error locating key.
2011-03-14 16:24:55 [4531] Error reading PIN from
"/tmp/kaleem/test1/passwordfile": No such file or directory.
2011-03-14 16:24:55 [4531] Key storage slot still needs user PIN to be set.
2011-03-14 16:24:55 [4531] Error locating certificate.
2011-03-14 16:24:55 [4532] Error locating key.
2011-03-14 16:24:55 [4533] Error reading PIN from
"/tmp/kaleem/test1/passwordfile": No such file or directory.
2011-03-14 16:24:55 [4533] Key storage slot still needs user PIN to be set.
2011-03-14 16:24:55 [4533] Error locating certificate.
2011-03-14 16:24:57 [4520] Certificate submission still ongoing.
2011-03-14 16:24:57 [4520] Certificate submission attempt complete.
2011-03-14 16:24:57 [4520] Child status = 0.
2011-03-14 16:24:57 [4520] Child output:
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIBNjANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZMQUIu
RU5HLlBOUS5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMTEwMzE0MTA1NDU3WhcNMTEwOTEwMTA1NDU3WjBKMR8wHQYDVQQKExZM
QUIuRU5HLlBOUS5SRURIQVQuQ09NMScwJQYDVQQDEx5qdXBpdGVyLmxhYi5lbmcu
cG5xLnJlZGhhdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8
7LPa0gRhJIMjoFcNr7BUpjeD808u2cPpWf2qmTJY/LXlvGU19ZWTIBBh/wuxMLcl
YlDlzF6Ufr503mthNlrlQM1sJakaBEagjsLMbLTQiOuUrD/AP8sQREfdqgHkWw5i
/7qOo41W26GDJvRLMY3VgZy5vW1044nqqfxPIuUHMv1awIFHGI0A3KjXatfy9sJf
L9Q9jE3Ji4Tnyjabz5Foe32W6RgB0RQze43WmNkYtwYwpcOZXlEHfHQH8W0+7A2w
CEnW7QbsTM6BDDFtUN6iCy6/eU4AYExh6ySJ7o3bLHLbn9icQQWe4hFrJjISSNXX
8WHytLGK/y66UsGIAimdAgMBAAGjgZkwgZYwHwYDVR0jBBgwFoAUBOXf0/5ulZ76
LxJZOq5cmFSFHe0wTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzABhjJodHRwOi8v
anVwaXRlci5sYWIuZW5nLnBucS5yZWRoYXQuY29tOjkxODAvY2Evb2NzcDAOBgNV
HQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
ggEBAH44PumU8ZXKVhzZAHnsYIygigSEjsYrXjVcIcXtQThTgT1jI0zZpsIQ51W2
0wr4by2WVO1VmCjAzkChnnX+BuUR1IhUOQZ/FU3N3oQLddC0rkvSC7fmBDsa6dsh
0cxqxHK/v62XFuTh5DHNVHYvLMhEbezg9Z33DQ4JtOp0sLRze2s4rPSWGWYMI1Ie
eRcYG3T51K3IWlj4yWCq9DFCgOYKK9olNPhY60zo38O1JOvJpdo6GIQiNShLe6U5
ubfCyXyac+k6WkVGQzlLuerxG7TiMrwd9XdzwVjDzm/0hRT+BxIl8wLPNb8NDeOR
X3T9fEYFUVBC5JhDCZUtwDpTi54=
-----END CERTIFICATE-----

2011-03-14 16:24:57 [4520] Certificate issued.
2011-03-14 16:24:57 [4540] Token is named "NSS Generic Crypto Services", not
"(null)".


(d)Output of 'ipa-getcert list' command

[root@jupiter requests]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110314105455':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/tmp/kaleem/test1',nickname=test1,pinfile=/tmp/kaleem/test1/passwordfile
 certificate: type=NSSDB,location='/tmp/kaleem/test1',nickname=test1,token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
 subject: CN=jupiter.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
 expires: 20110910105457
 eku: id-kp-serverAuth
 track: yes
 auto-renew: yes
[root@jupiter requests]#
##########################################################################
Comment 12 Kaleem 2011-03-30 08:27:52 UTC 
Verified.

RHEL Version:
[root@tiger ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.1 Beta (Santiago)

Certmonger Version:
[root@tiger ~]# rpm -qai certmonger |head
Name        : certmonger                   Relocations: (not relocatable)
Version     : 0.40                              Vendor: Red Hat, Inc.
Release     : 1.el6                         Build Date: Tue 29 Mar 2011 02:58:11 AM IST
Install Date: Wed 30 Mar 2011 07:36:13 AM IST      Build Host: x86-008.build.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: certmonger-0.40-1.el6.src.rpm
Size        : 867380                           License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://certmonger.fedorahosted.org
Summary     : Certificate status monitor and PKI enrollment client
[root@tiger ~]#

Steps used to verify:
(1)Install certmonger

(2)Start certmonger service
   [root@tiger ~]# service certmonger start
Starting certmonger:                                       [  OK  ]

(3)Issue a certificate request with non-existent NSS database password file(-p switch) and check its status

  [root@tiger ~]# ipa-getcert request -d /tmp/kaleem/ -n test -p /tmp/kaleem/passwordfile.txt
New signing request "20110330024526" added.
[root@tiger ~]# ipa-getcert list
Number of certificates and requests being tracked: 4.
Request ID '20110330024526':
	status: NEWLY_ADDED_NEED_KEYI_READ_PIN
	stuck: yes
	key pair storage: type=NSSDB,location='/tmp/kaleem',nickname=test,pinfile=/tmp/kaleem/passwordfile.txt
	certificate: type=NSSDB,location='/tmp/kaleem',nickname=test
	CA: IPA
	issuer: 
	subject: 
	expires: unknown
	track: yes
	auto-renew: yes
[root@tiger ~]

Certificate has been not generated.

(4)look at /var/log/message for error message regarding non-existent of password file.

[root@tiger ~]# tail -5 /var/log/messages
Mar 30 08:15:26 tiger certmonger: Error reading PIN from "/tmp/kaleem/passwordfile.txt": No such file or directory.
Mar 30 08:15:26 tiger certmonger: Error reading PIN from "/tmp/kaleem/passwordfile.txt": No such file or directory.
[root@tiger ~]#

Results:
Certificate is not generated and an error message regarding non-existent of password file is provided in /var/log/messages.
Comment 13 Eva Kopalova 2011-05-02 17:03:33 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The certmonger service accepted a non-existent PIN (Personal Identification Number) file for the NSS (Network Security Services) database if the user ran the ipa-getcert request command with the -p option. This occurred because certmonger failed to detect reading errors in the file with the PIN and proceeded with an empty PIN value. With this update, such reading errors are logged and certmonger proceeded as if it had read an empty PIN value.
Comment 14 errata-xmlrpc 2011-05-19 13:07:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0570.html
Note You need to log in before you can comment on or make changes to this bug.