692766 – Certmonger generates certificate on providing incorrect NSS database PIN

Bug 692766 - Certmonger generates certificate on providing incorrect NSS database PIN

Summary: Certmonger generates certificate on providing incorrect NSS database PIN

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-01 05:11 UTC by Kaleem
Modified:	2011-12-06 17:37 UTC (History)
CC List:	3 users (show)
Fixed In Version:	certmonger-0.46-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 17:37:21 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1708	0	normal	SHIPPED_LIVE	certmonger bug fix update	2011-12-06 01:02:28 UTC

Description Kaleem 2011-04-01 05:11:24 UTC

Description of problem:
Certmonger generates certificate on providing incorrect NSS database PIN.
In this scenario, NSS database PIN is null.


Version-Release number of selected component (if applicable):



How reproducible:
Try to issue a certificate by providing incorrect PIN.

Steps to Reproduce:
1.Install certmonger

  [root@mars ~]# yum install certmonger
--> Running transaction check
---> Package certmonger.x86_64 0:0.40-1.el6 will be installed
--> Processing Dependency: libtevent.so.0()(64bit) for package: certmonger-0.40-1.el6.x86_64
--> Running transaction check
---> Package libtevent.x86_64 0:0.9.8-8.el6 will be installed
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
Installing:
 certmonger                             x86_64                             0.40-1.el6                                rhel6                             190 k
Installing for dependencies:
 libtevent                              x86_64                             0.9.8-8.el6                               rhel6                              18 k
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : libtevent-0.9.8-8.el6.x86_64                                                                                                              1/2 
  Installing : certmonger-0.40-1.el6.x86_64                                                                                                              2/2 
duration: 60(ms)
Installed products updated.
Installed:
  certmonger.x86_64 0:0.40-1.el6                                                                    Dependency Installed:
  libtevent.x86_64 0:0.9.8-8.el6                                                                   
Complete!
[root@mars ~]#

2.start certmonger service

  [root@mars ~]# service certmonger start
Starting certmonger:                                       [  OK  ]
[root@mars ~]#

3.create a temp directory and change its SELinux security context to type cert_t.

  [root@mars ~]# mkdir /tmp/kaleem
[root@mars ~]# chcon -t cert_t /tmp/kaleem/
[root@mars ~]#

4.Now issue a certificate request with incorrect NSS database PIN

  [root@mars ~]# getcert request -d /tmp/kaleem/ -n test -c SelfSign -P "incorrect"
New signing request "20110331233234" added.

[root@mars ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110331233234':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/tmp/kaleem',nickname=test,pin=incorrect
	certificate: type=NSSDB,location='/tmp/kaleem',nickname=test,token='NSS Certificate DB'
	CA: SelfSign
	issuer: CN=mars.lab.eng.pnq.redhat.com
	subject: CN=mars.lab.eng.pnq.redhat.com
	expires: 20120331233234
	dns: mars.lab.eng.pnq.redhat.com
	principal name: host/mars.lab.eng.pnq.redhat.com
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes
[root@mars ~]#
  
Actual results:
Certificate is generated and monitored by certmonger.

Expected results:
Certmonger should throw an alert message that NSS database PIN is incorrect.

Comment 5 Kaleem 2011-09-22 09:08:25 UTC

Verified.

RHEL Version:
=============
[root@dhcp201-220 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)

Certmonger Version:
==================
[root@dhcp201-220 ~]# rpm -q certmonger 
certmonger-0.46-1.el6.x86_64

Steps used to verify:
=====================
(1)Install certmonger and nss-tools

[root@dhcp201-220 ~]# yum install certmonger nss-tools
Loaded plugins: product-id, subscription-manager
Updating certificate-based repositories.
Installed products updated.
.
.
.
Installed:
  certmonger.x86_64 0:0.46-1.el6                                              nss-tools.x86_64 0:3.12.10-10.el6                                             
Complete!
[root@dhcp201-220 ~]#

(2)Start certmonger service (Make sure Dbus service is running)

[root@dhcp201-220 ~]# service certmonger start
Starting certmonger:                                       [  OK  ]

(3)Make temp directory and change it into NSS db.Also change selinux context so that key-pairs can be generated.
[root@dhcp201-220 ~]# mkdir /tmp/kaleem

[root@dhcp201-220 ~]# chcon -t cert_t /tmp/kaleem/

[root@dhcp201-220 ~]# ls -lZ /tmp/ |grep kaleem
drwxr-xr-x. root root unconfined_u:object_r:cert_t:s0  kaleem

[root@dhcp201-220 ~]# certutil -W -d /tmp/kaleem/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
[root@dhcp201-220 ~]#

NOTE:Here NSS db password is null.

(4)Now try to generate a certifiate in this NSS db on providing Incorrect NSS db PIN.

[root@dhcp201-220 ~]# getcert request -d /tmp/kaleem/ -n test -c SelfSign -P "incorrect"
New signing request "20110922091755" added.

(5)Now see the certificate request status

[root@dhcp201-220 ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110922091755':
	status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
	stuck: yes
	key pair storage: type=NSSDB,location='/tmp/kaleem',nickname='test',pin='incorrect'
	certificate: type=NSSDB,location='/tmp/kaleem',nickname='test'
	CA: SelfSign
	issuer: 
	subject: 
	expires: unknown
	track: yes
	auto-renew: yes
[root@dhcp201-220 ~]#


Result:
======
Now the certificate request status is "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" instead of "MONITORING" on providing incorrect NSS db pin.

Status changes to "MONITORING" on providing correct PIN with "getcert resubmit".

Comment 6 errata-xmlrpc 2011-12-06 17:37:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1708.html

Note You need to log in before you can comment on or make changes to this bug.