697058 – ipa-getcert : cert request success when wrong token is given

Bug 697058 - ipa-getcert : cert request success when wrong token is given

Summary: ipa-getcert : cert request success when wrong token is given

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-15 17:33 UTC by Yi Zhang
Modified:	2011-12-06 17:37 UTC (History)
CC List:	4 users (show)
Fixed In Version:	certmonger-0.45-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 17:37:33 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1708	0	normal	SHIPPED_LIVE	certmonger bug fix update	2011-12-06 01:02:28 UTC

Description Yi Zhang 2011-04-15 17:33:17 UTC

Description of problem:
[i386.b root@dhcp-119 ~] ipa-getcert request -d /etc/pki/nssdb -n GetcertTest-request_1012-16614 -t  NoSuchToken
New signing request "20110415165513" added.


when the tokne "NoSuchToken" does not exist in system
[i386.a root@dhcp-118 /etc/pki/nssdb] modutil -dbdir . -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
-----------------------------------------------------------


Version-Release number of selected component (if applicable):
[i386.a root@dhcp-118 /etc/pki/nssdb] rpm -qa | grep certmonger
certmonger-0.42-1.20110413T1643z.el6.i686
You have new mail in /var/spool/mail/root
[i386.a root@dhcp-118 /etc/pki/nssdb] rpm -qa | grep ipa-client
ipa-client-2.0.0-20.20110413T1714zgit9cac1d8.el6.i686


How reproducible: 


Steps to Reproduce:
1. install ipa-client
2. send cert request via ipa-getcert request as following:
[i386.a root@dhcp-118 /etc/pki/nssdb] rpm -qa | grep certmonger
certmonger-0.42-1.20110413T1643z.el6.i686
You have new mail in /var/spool/mail/root
[i386.a root@dhcp-118 /etc/pki/nssdb] rpm -qa | grep ipa-client
ipa-client-2.0.0-20.20110413T1714zgit9cac1d8.el6.i686

Actual results: request success


Expected results: request should fail : cert request should not send to server, it should failed locally. 


Additional info:

Comment 2 Nalin Dahyabhai 2011-04-15 19:06:20 UTC

What's the output from 'ipa-getcert list' after this?  I'd expect the daemon to start working the request and then get stalled on it once it tries to locate the token.

Comment 3 Yi Zhang 2011-07-19 17:32:34 UTC

[x86_64.b root@dhcp-122 ~] ipa-getcert request -d /etc/pki/nssdb -n GetCertTest-request-001 "201107180001" NoSuchToken
New signing request "20110719172835" added.

=========== and cert list is below: ============================================
[x86_64.b root@dhcp-122 ~] ipa-getcert list
Number of certificates and requests being tracked: 4.
Request ID '20110714171343':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SJC-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SJC-REDHAT-COM//pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-SJC-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=SJC.REDHAT.COM
	subject: CN=dhcp-122.sjc.redhat.com,O=SJC.REDHAT.COM
	expires: 2012-01-10 17:13:42 UTC
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes
Request ID '20110714171410':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=SJC.REDHAT.COM
	subject: CN=dhcp-122.sjc.redhat.com,O=SJC.REDHAT.COM
	expires: 2012-01-10 17:14:10 UTC
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes
Request ID '20110714171432':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=SJC.REDHAT.COM
	subject: CN=dhcp-122.sjc.redhat.com,O=SJC.REDHAT.COM
	expires: 2012-01-10 17:14:31 UTC
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes
Request ID '20110719172835':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='GetCertTest-request-001',token='NSS Certificate DB'
	certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='GetCertTest-request-001',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=SJC.REDHAT.COM
	subject: CN=dhcp-122.sjc.redhat.com,O=SJC.REDHAT.COM
	expires: 2012-01-15 17:28:38 UTC
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes

================= end of cert list =============

the newly added cert in my new test is the very last one. 


Additional information: here is command I used to create such cert:
[x86_64.b root@dhcp-122 ~] ipa-getcert request -d /etc/pki/nssdb -n GetCertTest-request-001 "201107180001" NoSuchToken
New signing request "20110719172835" added.   <=== system response



[x86_64.b root@dhcp-122 /etc/pki/nssdb]  modutil -dbdir . -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
-----------------------------------------------------------

Comment 4 Yi Zhang 2011-07-19 17:34:57 UTC

continuing the last post, here are the test environment information:

[x86_64.b root@dhcp-122 /etc/pki/nssdb] rpm -qa | grep ipa-server
ipa-server-2.0.99-3.20110714T0516zgita746c61.el6.x86_64
ipa-server-selinux-2.0.99-3.20110714T0516zgita746c61.el6.x86_64


[x86_64.b root@dhcp-122 /etc/pki/nssdb] rpm -qa | grep ipa-client
ipa-client-2.0.99-3.20110714T0516zgita746c61.el6.x86_64


[x86_64.b root@dhcp-122 /etc/pki/nssdb] rpm -qa | grep certmonger
certmonger-0.42-1.20110512T0414z.el6.x86_64
[x86_64.b root@dhcp-122 /etc/pki/nssdb]

Comment 5 Nalin Dahyabhai 2011-07-19 18:26:21 UTC

You're not using the -t flag when specifying the token name in comment #3.  Snapshots dated 2011-07-19 18:17 UTC and later should start printing an error when this is done.

Comment 7 Kaleem 2011-10-03 06:11:32 UTC

Verified.

RHEL Version:
=============
[root@dhcp201-220 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)

Certmonger Version:
==================
[root@dhcp201-220 ~]# rpm -q certmonger
certmonger-0.48-1.el6.x86_64
[root@dhcp201-220 ~]#

Steps used to verify:
=====================
(1)Install certmonger and nss-tools
[root@dhcp201-220 kaleem]# yum install certmonger -y
Loaded plugins: product-id, subscription-manager
Installed products updated.

Installed:
  certmonger.x86_64 0:0.48-1.el6                                                                                                                             
(2)Start certmonger service (make sure Dbus service is running)

[root@dhcp201-220 ~]# service certmonger start
Starting certmonger:                                       [  OK  ]
[root@dhcp201-220 ~]#

(3)Make a temp directory and change it into NSS db.Also change selinux context so
that key-pairs can be generated.
[root@dhcp201-220 ~]# mkdir /tmp/kaleem

[root@dhcp201-220 ~]# chcon -t cert_t /tmp/kaleem/

[root@dhcp201-220 ~]# ls -lZ /tmp/ |grep kaleem
drwxr-xr-x. root root unconfined_u:object_r:cert_t:s0  kaleem

[root@dhcp201-220 ~]# certutil -N -d /tmp/kaleem/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
[root@dhcp201-220 ~]#

(5)Now try to generate a certifiate in this NSS db on providing Incorrect token name and check the cert request status

[root@dhcp201-220 ~]# getcert request -d /tmp/kaleem/ -n Test -t "Fake Token" 
New signing request "20111003062129" added.

[root@dhcp201-220 ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20111003062129':
	status: NEWLY_ADDED_NEED_KEYINFO_READ_TOKEN
	stuck: yes
	key pair storage: type=NSSDB,location='/tmp/kaleem',nickname='Test',token='Fake Token'
	certificate: type=NSSDB,location='/tmp/kaleem',nickname='Test',token='Fake Token'
	issuer: 
	subject: 
	expires: unknown
	track: yes
	auto-renew: yes
[root@dhcp201-220 ~]#

Here cert status is "NEWLY_ADDED_NEED_KEYINFO_READ_TOKEN"

Result:
======
So now on providing non-existing token name , cert status is "NEWLY_ADDED_NEED_KEYINFO_READ_TOKEN" instead of "MONITORING".

Comment 8 errata-xmlrpc 2011-12-06 17:37:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1708.html

Note You need to log in before you can comment on or make changes to this bug.