Missing CN in user signing cert would cause error in cmc user-signed

[pki-bot]

This issue was migrated from Pagure Issue #2788. Originally filed by mharmsen (@mharmsen) on 2017-08-03 18:55:11:

• Closed at 2017-08-04 17:20:31 as fixed
• Assigned to cfu (@cfu)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1474658

---

Missing CN in user signing cert would cause error in cmc user-signed case. If the certificate subject is missing "CN" cmc user-signed case doesn't work.

Steps to Reproduce:

Use a certificate without CN and try to use it for signing in cmc user-signed

Actual results:

1. certificate signing doesn't happen.
2. HttpClient output failed with NPE .

Expected results:

 Certificate should be generated with any valid subject dn

Additional info:

Test Result:
===========

[root@pki1 certs_db]# HttpClient user-signed/HttpClient-cmc-crmf.self.cfg

Total number of bytes read = 3425
after SSLSocket created, thread token is NSS FIPS 140-2 User Private Key
client cert is not null
handshake happened
writing to socket
Total number of bytes read = 234
PEhUTUw+CjxCT0RZIEJHQ09MT1I9d2hpdGU+CjxQPgpUaGUgQ2VydGlmaWNhdGUg
U3lzdGVtIGhhcyBlbmNvdW50ZXJlZCBhbiB1bnJlY292ZXJhYmxlIGVycm9yLgo8
UD4KRXJyb3IgTWVzc2FnZTo8QlI+CjxJPmphdmEubGFuZy5OdWxsUG9pbnRlckV4
Y2VwdGlvbjwvST4KPFA+ClBsZWFzZSBjb250YWN0IHlvdXIgbG9jYWwgYWRtaW5p
c3RyYXRvciBmb3IgYXNzaXN0YW5jZS4KPC9CT0RZPgo8L0hUTUw+Cg0K

The response in binary format is stored in user-signed/cmc.self.Resp

[root@pki1 certs_db]# cat user-signed/cmc.self.Resp
<HTML>
<BODY BGCOLOR=white>
<P>
The Certificate System has encountered an unrecoverable error.
<P>
Error Message:<BR>
<I>java.lang.NullPointerException</I>
<P>
Please contact your local administrator for assistance.
</BODY>
</HTML>

Configuration files:
===========

cmc.config:

[root@pki1 certs_db]# cat user-signed/cmc.self.cfg
#numRequests: Total number of PKCS10 requests or CRMF requests.
numRequests=1

#input: full path for the PKCS10 request or CRMF request,
#the content must be in Base-64 encoded format
#Multiple files are supported. They must be separated by space.
input=user-signed/pkcs10.req
#output: full path for the CMC request in binary format
output=user-signed/cmc.self.req
#tokenname: name of token where agent signing cert can be found (default is internal)
tokenname=internal
#request.selfSign=true
#nickname: nickname for agent certificate which will be used
#to sign the CMC full request.
nickname=pkipinmanager
#nickname=test13
#nickname=PKI CA Administrator
#nickname=revoke1
#dbdir: directory for cert8.db, key3.db and secmod.db
dbdir=/opt/rhqa_pki/certs_db/
#password: password for cert8.db which stores the agent
#certificate
password=SECret.123
#format: request format, either pkcs10 or crmf
format=pkcs10

#identityProofV2.enable: if true, then the request will contain
#this control. Otherwise, false.
#Note that if both identityProof and identityProofV2
#  are enabled, identityProofV2 takes precedence; Only one of them can be active at a time
#Supported hashAlg are:
# SHA-1, SHA-256, SHA-384, and SHA-512
#Supported macAlg are:
# SHA-1-HMAC, SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC
identityProofV2.enable=false
identityProofV2.hashAlg=SHA-512
identityProofV2.macAlg=SHA-512-HMAC

#identityProofV2.sharedSecret: Shared Secret
witness.sharedSecret=testing

popLinkWitnessV2.enable=true
popLinkWitnessV2.keyGenAlg=SHA-512
popLinkWitnessV2.macAlg=SHA-512-HMAC

request.privKeyId=-4649a706aa2b309d2f1d139e4e000eae612eb04e

#identification works with identityProofV2
identification.enable=true
identification=testuser

HttpClient config:

[root@pki1 certs_db]# cat user-signed/HttpClient-cmc-crmf.self.cfg
#host: host name for the http server
host=pki.example.com

#port: port number
port=25443

#secure: true for secure connection, false for nonsecure connection
#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command
secure=true

#input: full path for the enrollment request, the content must be in binary format
input=user-signed/cmc.self.req

#output: full path for the response in binary format
output=user-signed/cmc.self.Resp

#tokenname: name of token where SSL client authentication cert can be found (default is internal)
#This parameter will be ignored if secure=false
tokenname=internal
#dbdir: directory for cert8.db, key3.db and secmod.db
#This parameter will be ignored if secure=false
dbdir=/opt/rhqa_pki/certs_db

#clientmode: true for client authentication, false for no client authentication
#This parameter will be ignored if secure=false
clientmode=true

#password: password for cert8.db
#This parameter will be ignored if secure=false and clientauth=false
password=SECret.123

#nickname: nickname for client certificate
#This parameter will be ignored if clientmode=false
nickname=pkipinmanager
#servlet: servlet name
servlet=/ca/ee/ca/profileSubmitUserSignedCMCFull

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-03 18:56:01

Metadata Update from @mharmsen:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1474658
• Custom field type adjusted to None
• Custom field version adjusted to None
• Issue assigned to cfu
• Issue priority set to: critical
• Issue set to the milestone: 10.4

[pki-bot]

Comment from cfu (@cfu) at 2017-08-04 17:20:32

commit 507a8888b6eccfe716ca7bc4647f71cee973afcf (HEAD -> master, origin/master, origin/HEAD, cmc_noCN) Author: Christina Fu cfu@redhat.com Date: Tue Jul 25 18:02:02 2017 -0700

Ticket 2788 Missing CN in user signing cert would cause error in cmc user-signed
This patch takes care of the issue that CMCUserSignedAuth cannot handle cases when CN is not in the subjectDN

Change-Id: Ieac0712d051dcb993498d9680f005c04158b5549

[pki-bot]

Comment from cfu (@cfu) at 2017-08-04 17:20:33

Metadata Update from @cfu:

• Issue close_status updated to: fixed
• Issue status updated to: Closed (was: Open)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-16 18:22:49

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.4.10 (was: 10.4)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-09-13 12:13:41

Metadata Update from @mharmsen:

• Custom field fixedinversion adjusted to pki-core-10.4.8-6.fc27