CMC: cmc.popLinkWitnessRequired=false would cause error - Githubissues

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.

https://www.dogtagpki.org

GNU General Public License v2.0

362 stars 135 forks source link

CMC: cmc.popLinkWitnessRequired=false would cause error #2795

Closed pki-bot closed 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #2675. Originally filed by mharmsen (@mharmsen) on 2017-05-04 00:42:52:

Closed at 2018-01-19 18:17:17 as fixed
Assigned to cfu (@cfu)
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1447145

There appears to be a bug in parseCMC() where if cmc.popLinkWitnessRequired=false in CS.cfg (that happens to be default), error would occur.

Workaround is to set cmc.popLinkWitnessRequired=true until fix is available.

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-04 00:43:58

Metadata Update from @mharmsen:

Custom field component adjusted to General
Custom field feature adjusted to ''
Custom field origin adjusted to Community
Custom field proposedmilestone adjusted to ''
Custom field proposedpriority adjusted to ''
Custom field reviewer adjusted to ''
Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1447145
Custom field type adjusted to defect
Custom field version adjusted to ''
Issue close_status updated to: fixed
Issue priority set to: critical
Issue status updated to: Closed (was: Open)

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-04 12:38:16

Metadata Update from @mharmsen:

Issue set to the milestone: 10.4.4 (was: 10.4)

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-05 20:32:04

Metadata Update from @mharmsen:

Issue assigned to cfu

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-09 23:39:14

Metadata Update from @mharmsen:

Custom field fixedinversion adjusted to pki-core-10.4.1-4.el7

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-08-03 11:56:31

Metadata Update from @mharmsen:

Issue set to the milestone: 10.4.9 (was: 10.4.4)

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-12 14:34:55

Need to reopen this bug.

While the cmc.popLinkWitnessRequired param in CS.cfg is working as expected, when it is true, it is impossible to do encryptedPOP because there is no POP to start with and would therefore be rejected. Changing this value and restarting the server is not a reasonable option for most deployment sites.

We should add a caveat to the cmc.popLinkWitnessRequired logic so that encryptedPOP is allowed.

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-12 14:34:55

Metadata Update from @cfu:

Issue status updated to: Open (was: Closed)

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2018-01-16 12:41:31

Metadata Update from @mharmsen:

Issue priority set to: blocker (was: critical)

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-16 22:03:48

patch for review: https://review.gerrithub.io/#/c/395013/

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-17 17:45:49

commit c52c51c6516cd39caec52441d0756b1756050ae3 (HEAD -> master, origin/master, origin/HEAD) Author: Christina Fu cfu@redhat.com Date: Tue Jan 16 18:15:21 2018 -0800

Ticket 2675 additional fix to allow requests without POP

This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism.

Fixes: https://pagure.io/dogtagpki/issue/2675
Change-Id: Id4aab1a85dcaeaa65e625873e617af86b44a271b

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-17 17:45:49

Metadata Update from @cfu:

Issue close_status updated to: fixed

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-19 17:36:12

previous fix did not put PKCS10 into account. Need to address that.

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-19 17:36:13

Metadata Update from @cfu:

Issue status updated to: Open (was: Closed)

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-19 18:17:19

https://review.gerrithub.io/#/c/395574/

commit 91c6c781e5e2c26b77619e6f4c08dc5d77bb5adf (HEAD -> master, origin/master, origin/HEAD, pop) Author: Christina Fu cfu@redhat.com Date: Fri Jan 19 14:45:17 2018 -0800

Ticket 2675 take care of PKCS10 for cmc.popLinkWitnessRequired

This patch adds support to handle PKCS10 which was neglected in previous
"additional" fix.

Fixes: https://pagure.io/dogtagpki/issue/2675
Change-Id: Ifc824d64c83f979ffd610658a6e7114598ce8055

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2018-01-19 18:17:19

Metadata Update from @cfu:

Issue close_status updated to: fixed
Issue status updated to: Closed (was: Open)