Missing CN in user signing cert would cause error in cmc user-signed case. If the certificate subject is missing "CN" cmc user-signed case doesn't work.
Steps to Reproduce:
Use a certificate without CN and try to use it for signing in cmc user-signed
Actual results:
1. certificate signing doesn't happen. 2. HttpClient output failed with NPE .
Expected results:
Certificate should be generated with any valid subject dn
Additional info:
Test Result: =========== [root@pki1 certs_db]# HttpClient user-signed/HttpClient-cmc-crmf.self.cfg Total number of bytes read = 3425 after SSLSocket created, thread token is NSS FIPS 140-2 User Private Key client cert is not null handshake happened writing to socket Total number of bytes read = 234 PEhUTUw+CjxCT0RZIEJHQ09MT1I9d2hpdGU+CjxQPgpUaGUgQ2VydGlmaWNhdGUg U3lzdGVtIGhhcyBlbmNvdW50ZXJlZCBhbiB1bnJlY292ZXJhYmxlIGVycm9yLgo8 UD4KRXJyb3IgTWVzc2FnZTo8QlI+CjxJPmphdmEubGFuZy5OdWxsUG9pbnRlckV4 Y2VwdGlvbjwvST4KPFA+ClBsZWFzZSBjb250YWN0IHlvdXIgbG9jYWwgYWRtaW5p c3RyYXRvciBmb3IgYXNzaXN0YW5jZS4KPC9CT0RZPgo8L0hUTUw+Cg0K The response in binary format is stored in user-signed/cmc.self.Resp [root@pki1 certs_db]# cat user-signed/cmc.self.Resp <HTML> <BODY BGCOLOR=white> <P> The Certificate System has encountered an unrecoverable error. <P> Error Message:<BR> <I>java.lang.NullPointerException</I> <P> Please contact your local administrator for assistance. </BODY> </HTML> Configuration files: =========== cmc.config: [root@pki1 certs_db]# cat user-signed/cmc.self.cfg #numRequests: Total number of PKCS10 requests or CRMF requests. numRequests=1 #input: full path for the PKCS10 request or CRMF request, #the content must be in Base-64 encoded format #Multiple files are supported. They must be separated by space. input=user-signed/pkcs10.req #output: full path for the CMC request in binary format output=user-signed/cmc.self.req #tokenname: name of token where agent signing cert can be found (default is internal) tokenname=internal #request.selfSign=true #nickname: nickname for agent certificate which will be used #to sign the CMC full request. nickname=pkipinmanager #nickname=test13 #nickname=PKI CA Administrator #nickname=revoke1 #dbdir: directory for cert8.db, key3.db and secmod.db dbdir=/opt/rhqa_pki/certs_db/ #password: password for cert8.db which stores the agent #certificate password=SECret.123 #format: request format, either pkcs10 or crmf format=pkcs10 #identityProofV2.enable: if true, then the request will contain #this control. Otherwise, false. #Note that if both identityProof and identityProofV2 # are enabled, identityProofV2 takes precedence; Only one of them can be active at a time #Supported hashAlg are: # SHA-1, SHA-256, SHA-384, and SHA-512 #Supported macAlg are: # SHA-1-HMAC, SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC identityProofV2.enable=false identityProofV2.hashAlg=SHA-512 identityProofV2.macAlg=SHA-512-HMAC #identityProofV2.sharedSecret: Shared Secret witness.sharedSecret=testing popLinkWitnessV2.enable=true popLinkWitnessV2.keyGenAlg=SHA-512 popLinkWitnessV2.macAlg=SHA-512-HMAC request.privKeyId=-4649a706aa2b309d2f1d139e4e000eae612eb04e #identification works with identityProofV2 identification.enable=true identification=testuser HttpClient config: [root@pki1 certs_db]# cat user-signed/HttpClient-cmc-crmf.self.cfg #host: host name for the http server host=pki.example.com #port: port number port=25443 #secure: true for secure connection, false for nonsecure connection #For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command secure=true #input: full path for the enrollment request, the content must be in binary format input=user-signed/cmc.self.req #output: full path for the response in binary format output=user-signed/cmc.self.Resp #tokenname: name of token where SSL client authentication cert can be found (default is internal) #This parameter will be ignored if secure=false tokenname=internal #dbdir: directory for cert8.db, key3.db and secmod.db #This parameter will be ignored if secure=false dbdir=/opt/rhqa_pki/certs_db #clientmode: true for client authentication, false for no client authentication #This parameter will be ignored if secure=false clientmode=true #password: password for cert8.db #This parameter will be ignored if secure=false and clientauth=false password=SECret.123 #nickname: nickname for client certificate #This parameter will be ignored if clientmode=false nickname=pkipinmanager #servlet: servlet name servlet=/ca/ee/ca/profileSubmitUserSignedCMCFull
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1474658 - Custom field type adjusted to None - Custom field version adjusted to None - Issue assigned to cfu - Issue priority set to: critical - Issue set to the milestone: 10.4
commit 507a8888b6eccfe716ca7bc4647f71cee973afcf (HEAD -> master, origin/master, origin/HEAD, cmc_noCN) Author: Christina Fu cfu@redhat.com Date: Tue Jul 25 18:02:02 2017 -0700
Ticket #2788 Missing CN in user signing cert would cause error in cmc user-signed This patch takes care of the issue that CMCUserSignedAuth cannot handle cases when CN is not in the subjectDN Change-Id: Ieac0712d051dcb993498d9680f005c04158b5549
Metadata Update from @cfu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.10 (was: 10.4)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.4.8-6.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2908
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.