Issue #1649: Enhancements for CLI-based renewals - dogtagpki

dogtagpki

#1649 Enhancements for CLI-based renewals

Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by dminnich.

pki cli based renewals require cert based auth and use that subject regardless of the serial given when cert auth is specified.

I want agent approved renewals, so I don't think I should need to auth with a client cert like it looks for.

pki -v -C ~/.pki.password -U https://server:8443/ca cert-request-profile-show caManualRenewal --output renewal.xml

vim renewal.xml and add serial number of a cert expiring soon

pki -v -C ~/.pki.password -U https://server:8443/ca cert-request-submit renewal.xml

HTTP response: HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: application/xml
Content-Length: 266
Date: Mon, 12 Oct 2015 19:24:51 GMT
Connection: close
com.netscape.certsrv.base.PKIException: You have no certificates to be renewed or the certificates are malformed.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:86)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:58)
at java.lang.reflect.Constructor.newInstance(Constructor.java:542)
at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436)
at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112)
at com.netscape.certsrv.cert.CertClient.enrollRequest(CertClient.java:90)
at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:80)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:90)
at com.netscape.cmstools.cli.ProxyCLI.execute(ProxyCLI.java:119)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:557)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:569)

debug.log

[12/Oct/2015:19:24:50]http-bio-8443-exec-10: processRenewal: renewProfileId caManualRenewal
[12/Oct/2015:19:24:50]http-bio-8443-exec-10: RenewalSubmitter: renewal: serial_num not found, must do ssl client auth
[12/Oct/2015:19:24:51]http-bio-8443-exec-10: RenewalSubmitter: renewal: no ssl client cert chain
[12/Oct/2015:19:24:51]http-bio-8443-exec-10: You have no certificates to be renewed or the certificates are malformed.
You have no certificates to be renewed or the certificates are malformed.
at com.netscape.cms.servlet.cert.RenewalProcessor.processRenewal(RenewalProcessor.java:119)
at com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:186)
at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:130)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at sun.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(AccessController.java:452)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:726)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(AccessController.java:416)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.GeneratedMethodAccessor39.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(AccessController.java:452)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:726)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(AccessController.java:416)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1157)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:627)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:809)

Note that if I instead do a pki -v -C ~/.pki.password -n "PKI Administrator for server" -U https://server:8443/ca cert-request-submit renewal.xml it goes through without any errors, but it

[12/Oct/2015:19:29:20]http-bio-8443-exec-7: SubjectNameConstraint: validate cert subject =CN=admin cert,OU=ca,OU=stage,O=Red Hat
[12/Oct/2015:19:29:20]http-bio-8443-exec-7: SubjectNameConstraint: validate() - sn500 dname = CN=admin cert,OU=ca,OU=stage,O=Red Hat

instead of grabbing the info from the cert with the serial i specified in the renewal.xml

edewata commented 8 years ago

The current renewal template is a bit confusing because it shows two places to specify the serial number, but only the first one is used:

<CertEnrollmentRequest>
    <Attributes/>
    <ProfileID>caManualRenewal</ProfileID>
    <Renewal>true</Renewal>
    <SerialNumber></SerialNumber>           <-- use this for now
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Value></Value>                 <-- currently ignored
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>

If the serial number is specified in the first place the renewal will work.

Proposed solution:

Ideally the serial number should be specified in the <Attribute name="serial_num">, and the <SerialNumber> should no longer be used. The <Renewal> is not necessary since the value can be obtained from the profile itself. The <RemoteHost> and <RemoteAddress> are not necessary either since they can be obtained from the HTTP request.

For backward compatibility the RenewalProcessor should be changed to read the <Attribute name="serial_num"> first, then if it's empty it will read the <SerialNumber>. If it's empty too, then it will get the serial number from the client certificate. The code should also be able to handle both decimal and hexadecimal serial numbers.

The CLI & REST service should generate a warning if any of the deprecated elements above is used.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

minor

Milestone

10.6

lowhangingfruit

vakwetu: X

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1376706

type

enhancement

version

None

keywords

None

estimate

None

feature

None

origin

RHCust

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

Command-Line Utilities

proposedmilestone

None

dogtagpki

Source Code

#1649 Enhancements for CLI-based renewals Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by dminnich.

Metadata

#1649 Enhancements for CLI-based renewals

Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by dminnich.