SilleBille
commented
4 years ago Posted by msauton on 2019-05-14:
Closed SilleBille closed 4 years ago
SilleBille
commented
4 years ago Posted by msauton on 2019-05-14:
SilleBille
commented
4 years ago Posted by msauton on 2019-05-14:
SilleBille
commented
4 years ago Posted by msauton on 2019-05-14:
bz 1710094 - agent cert not from local CA, LDAP error 32, but can issue cert while revoke fails PKIException: Record not found and HTTP 500 error https://bugzilla.redhat.com/show_bug.cgi?id=1710094
This issue was migrated from Pagure Issue #3101.Originally filed by msauton on 2019-05-14
This is a "corner case", was not designed for this use case, but there is a need for more validity check on agent's LDAP certificate record during authorization for various operations, example with inconsistent issuance and revocation:
Scenario:
2 CA instances in same security domain, "rootca1" and "subca1"
the 2 CAs have different serial number issued/ranges so that "rootca1" has less LDAP certificate records than "subca1"
an agent certificate is issued by "subca1", user called subca1agentuser1 tail /var/log/pki/subca1/ca/transactions 0.http-bio-8443-exec-3 - [28/Apr/2019:18:04:20 UTC] [20] [1] enrollment reqID 1030 fromAgent userID: caadmin authenticated by certUserDBAuthMgr is completed DN requested: UID=subca1useragent1 cert issued serial number: 0x402 time: 63
the agent user called subca1agentuser1 is added and trusted in rootca1 export nssdir=~/.dogtag/rootca1 pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n "PKI Administrator for example.test" ca-user-add subca1agentuser1 --fullName "subca1 Agent User 1" pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n "PKI Administrator for example.test" ca-group-member-add "Certificate Manager Agents" subca1agentuser1 pki -U https://ca1.example.test:7443/ca -n caadmin -c password ca-user-cert-add subca1agentuser1 --input /home/subca1useragent1/subca1useragent1.0x402.crt
check, there is a "subca1agentuser1" user entry in "rootca1" ldapsearch -LLLx -D "cn=directory manager" -w password -b uid=subca1agentuser1,ou=People,o=rootca1-CA dn: uid=subca1agentuser1,ou=people,o=rootca1-CA ... userCertificate:: MIIDazCCAlOgAwIBAgICBAIwDQYJKoZIhvcNAQELBQAwRDEUMBIGA1UECgwL ...
check, "expected" non existent LDAP entry in "rootca1", for the corner case to test: ldapsearch -LLLx -D "cn=directory manager" -w password -b "cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA" No such object (32) Matched DN: ou=certificateRepository,ou=ca,o=rootca1-CA
test 1 on rootca1 - agent subca1agentuser1 successfully issue a user certificate
note the LDAP error 32 / no such object during authorization, on the entry cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA and the continuing issuance process.
details, see attachment "test1"
the error message "PKIException: Record not found" is confusing because it does not apply to the certificate I tried to revoke, it seem to apply to the agent cert LDAP record, cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA , that do not exist on "rootca1" in this scenario,
pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n subca1useragent1 ca-cert-hold 0xc Placing certificate on-hold: Serial Number: 0xc Subject DN: UID=rootca1user1 Issuer DN: CN=CA Signing Certificate,OU=rootca1,O=Root CA Example Corp 7 Status: VALID Not Valid Before: Sun Apr 28 18:39:26 UTC 2019 Not Valid After: Fri Oct 25 18:39:26 UTC 2019 Are you sure (Y/N)? y PKIException: Record not found
==> /var/log/pki/rootca1/localhost_access_log.2019-04-28.txt <== 192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:41 +0000] "GET /ca/rest/account/login HTTP/1.1" 200 203 192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:41 +0000] "GET /ca/rest/agent/certs/12 HTTP/1.1" 200 9450 192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:45 +0000] "POST /ca/rest/agent/certs/12/revoke HTTP/1.1" 500 209
details, see attachment "test2"