#2819 Incorrect SubjectID for CMC_SIGNED_REQUEST_SIG_VERIFY
Closed: fixed 2 years ago Opened 2 years ago by edewata.

Currently when the server receives a CMC request it will generate the following log:

[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRol
eUser$][Outcome=Success][ReqType=enrollment][CertSubject=CN=
CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE][SignerInfo=P
KI Administrator] agent pre-approved CMC request signature v
erification

The SubjectID should have been the UID of the person who submits the certificate enrollment or revocation request (i.e. PKI Administrator), but now it says $NonRoleUser$.

Steps to reproduce:

  1. Install a root CA
  2. Install a subordinate CA (https://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate)
    a. Run installation step 1 to generate CA signing CSR
    b. Use CMC on the root CA to issue the CA signing CSR (https://pki.fedoraproject.org/wiki/Issuing_CA_Signing_Certificate_with_CMC)
  3. Inspect the audit log on the root CA

Actual result: There is one log entry for CMC_SIGNED_REQUEST_SIG_VERIFY event and it has [SubjectID=$NonRoleUser$].

Expected result: The log entry should have [SubjectID=PKI Administrator].


Metadata Update from @edewata:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue priority set to: blocker
- Issue set to the milestone: 10.5

2 years ago

Metadata Update from @cfu:
- Issue assigned to cfu

2 years ago

commit 328654627bfb6d65ae795b5435409c1724d20458 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu cfu@redhat.com
Date: Mon Oct 23 15:56:39 2017 -0700

Ticket #2819  Incorrect SubjectID for CMC_SIGNED_REQUEST_SIG_VERIFY

This patch fixes https://pagure.io/dogtagpki/issue/2819

Before this patch, one would see something like the following (with generic
SubjectID):
[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Success][ReqType=enrollment][CertSubject=CN=just me cfu,UID=cfu][SignerInfo=UID=TestAgent2,OU=example] agent pre-approved CMC request signature verification

After this patch, one would see the SubjectID being filled in:
[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=UID=TestAgent2,OU=example][Outcome=Success][ReqType=enrollment][CertSubject=CN=just me cfu,UID=cfu][SignerInfo=UID=TestAgent2,OU=example] agent pre-approved CMC request signature verification

Change-Id: I3385a771e0c43d5db7c51e806991039cf14c8b42

Metadata Update from @cfu:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1506819

2 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.0 (was: 10.5)

2 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.1 (was: 10.5.0)

2 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.1-1.fc27

2 years ago

Login to comment on this ticket.

Metadata