#2819 Incorrect SubjectID for CMC_SIGNED_REQUEST_SIG_VERIFY
Closed: fixed 6 years ago Opened 6 years ago by edewata.

Currently when the server receives a CMC request it will generate the following log:

[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRol
eUser$][Outcome=Success][ReqType=enrollment][CertSubject=CN=
CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE][SignerInfo=P
KI Administrator] agent pre-approved CMC request signature v
erification

The SubjectID should have been the UID of the person who submits the certificate enrollment or revocation request (i.e. PKI Administrator), but now it says $NonRoleUser$.

Steps to reproduce:

  1. Install a root CA
  2. Install a subordinate CA (https://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate)
    a. Run installation step 1 to generate CA signing CSR
    b. Use CMC on the root CA to issue the CA signing CSR (https://pki.fedoraproject.org/wiki/Issuing_CA_Signing_Certificate_with_CMC)
  3. Inspect the audit log on the root CA

Actual result: There is one log entry for CMC_SIGNED_REQUEST_SIG_VERIFY event and it has [SubjectID=$NonRoleUser$].

Expected result: The log entry should have [SubjectID=PKI Administrator].


Metadata Update from @edewata:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue priority set to: blocker
- Issue set to the milestone: 10.5

6 years ago

Metadata Update from @cfu:
- Issue assigned to cfu

6 years ago

commit 328654627bfb6d65ae795b5435409c1724d20458 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu cfu@redhat.com
Date: Mon Oct 23 15:56:39 2017 -0700

Ticket #2819  Incorrect SubjectID for CMC_SIGNED_REQUEST_SIG_VERIFY

This patch fixes https://pagure.io/dogtagpki/issue/2819

Before this patch, one would see something like the following (with generic
SubjectID):
[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Success][ReqType=enrollment][CertSubject=CN=just me cfu,UID=cfu][SignerInfo=UID=TestAgent2,OU=example] agent pre-approved CMC request signature verification

After this patch, one would see the SubjectID being filled in:
[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=UID=TestAgent2,OU=example][Outcome=Success][ReqType=enrollment][CertSubject=CN=just me cfu,UID=cfu][SignerInfo=UID=TestAgent2,OU=example] agent pre-approved CMC request signature verification

Change-Id: I3385a771e0c43d5db7c51e806991039cf14c8b42

Metadata Update from @cfu:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1506819

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.0 (was: 10.5)

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.1 (was: 10.5.0)

6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.1-1.fc27

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2939

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata