agent cert not from local CA, LDAP error 32, but can issue cert while revoke fails PKIException: Record not found and HTTP 500 error

[pki-bot]

This issue was migrated from Pagure Issue #3101. Originally filed by msauton (@msauton) on 2019-05-14 16:34:20:

• Assigned to nobody

---

This is a "corner case", was not designed for this use case, but there is a need for more validity check on agent's LDAP certificate record during authorization for various operations, example with inconsistent issuance and revocation:

Scenario:

• 2 CA instances in same security domain, "rootca1" and "subca1"

• the 2 CAs have different serial number issued/ranges so that "rootca1" has less LDAP certificate records than "subca1"

• an agent certificate is issued by "subca1", user called subca1agentuser1 tail /var/log/pki/subca1/ca/transactions 0.http-bio-8443-exec-3 - [28/Apr/2019:18:04:20 UTC] [20] [1] enrollment reqID 1030 fromAgent userID: caadmin authenticated by certUserDBAuthMgr is completed DN requested: UID=subca1useragent1 cert issued serial number: 0x402 time: 63

• the agent user called subca1agentuser1 is added and trusted in rootca1 export nssdir=~/.dogtag/rootca1 pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n "PKI Administrator for example.test" ca-user-add subca1agentuser1 --fullName "subca1 Agent User 1" pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n "PKI Administrator for example.test" ca-group-member-add "Certificate Manager Agents" subca1agentuser1 pki -U https://ca1.example.test:7443/ca -n caadmin -c password ca-user-cert-add subca1agentuser1 --input /home/subca1useragent1/subca1useragent1.0x402.crt

• check, there is a "subca1agentuser1" user entry in "rootca1" ldapsearch -LLLx -D "cn=directory manager" -w password -b uid=subca1agentuser1,ou=People,o=rootca1-CA dn: uid=subca1agentuser1,ou=people,o=rootca1-CA ... userCertificate:: MIIDazCCAlOgAwIBAgICBAIwDQYJKoZIhvcNAQELBQAwRDEUMBIGA1UECgwL ...

• check, "expected" non existent LDAP entry in "rootca1", for the corner case to test: ldapsearch -LLLx -D "cn=directory manager" -w password -b "cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA" No such object (32) Matched DN: ou=certificateRepository,ou=ca,o=rootca1-CA

• test 1 on rootca1 - agent subca1agentuser1 successfully issue a user certificate

note the LDAP error 32 / no such object during authorization, on the entry cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA and the continuing issuance process.

details, see attachment "test1"

• test 2 on rootca1 - the same agent subca1agentuser1 fails to revoke the user certificate that was just issued, with a confusing error message:

the error message "PKIException: Record not found" is confusing because it does not apply to the certificate I tried to revoke, it seem to apply to the agent cert LDAP record, cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA , that do not exist on "rootca1" in this scenario,

pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n subca1useragent1 ca-cert-hold 0xc Placing certificate on-hold: Serial Number: 0xc Subject DN: UID=rootca1user1 Issuer DN: CN=CA Signing Certificate,OU=rootca1,O=Root CA Example Corp 7 Status: VALID Not Valid Before: Sun Apr 28 18:39:26 UTC 2019 Not Valid After: Fri Oct 25 18:39:26 UTC 2019 Are you sure (Y/N)? y PKIException: Record not found

==> /var/log/pki/rootca1/localhost_access_log.2019-04-28.txt <== 192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:41 +0000] "GET /ca/rest/account/login HTTP/1.1" 200 203 192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:41 +0000] "GET /ca/rest/agent/certs/12 HTTP/1.1" 200 9450 192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:45 +0000] "POST /ca/rest/agent/certs/12/revoke HTTP/1.1" 500 209

details, see attachment "test2"

[pki-bot]

Comment from msauton (@msauton) at 2019-05-14 16:36:33

[pki-bot]

Comment from msauton (@msauton) at 2019-05-14 16:36:33

Metadata Update from @msauton:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None

[pki-bot]

Comment from msauton (@msauton) at 2019-05-14 16:38:48

[pki-bot]

Comment from msauton (@msauton) at 2019-05-14 17:00:54

bz 1710094 - agent cert not from local CA, LDAP error 32, but can issue cert while revoke fails PKIException: Record not found and HTTP 500 error https://bugzilla.redhat.com/show_bug.cgi?id=1710094

[pki-bot]

Comment from cfu (@cfu) at 2020-03-13 19:29:23

Question. does this behavior only happen with pki cli commands, or do you observe the same behavior if they (the agent cert issuance approval as well as revocation) were done from the UI?