#2894 Unauthorized and Invalid number format Exception during revoked certs usage
Closed: migrated 3 years ago by dmoluguw. Opened 6 years ago by mharmsen.

When tried to use a revoked certificates observed below behavior.

Issue 1: system, debug and Audit logs are not in sync.
Issue 2 : face Invalid number format .
Issue 3: Since certificate is revoked, Why it is hitting unauthorized.Unauthorized should not come once we revoke certs.It should come once we change the permissions like removing from group.

Steps to Reproduce:

Step1 :

# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" client-cert-request "cn=testing,uid=testusercert" --profile caUserCert
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 80000012
  Type: enrollment
  Request Status: pending
  Operation Result: success

# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" cert-request-review 80000012  --action approve
-------------------------------------
Approved certificate request 80000012
-------------------------------------
  Request ID: 80000012
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x8226cb48
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-add test1 --fullName test1
------------------
Added user "test1"
------------------
  User ID: test1
  Full name: test1
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-cert-add test1 --serial 0x8226cb48
--------------------------------------------------------------------------------------------------------------------------------
Added certificate "2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing"
--------------------------------------------------------------------------------------------------------------------------------
  Cert ID: 2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing
  Version: 2
  Serial Number: 0x8226cb48
  Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
  Subject: UID=testusercert,CN=testing
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Certificate Manager Agents" test1
--------------------------
Added group member "test1"
--------------------------
  User: test1
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Administrators" test1
--------------------------
Added group member "test1"
--------------------------
  User: test1

Testing
=====
# pki -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika --fullName geetika
--------------------
Added user "geetika"
--------------------
  User ID: geetika
  Full name: geetika

Step 2: Revoke this certificate.
Step3: Make sure it is part of your CA's CRL.

CRL:

Certificate revocation list contents

    Certificate Revocation List: 
        Data: 
            Signature Algorithm: SHA512withRSA
            Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
            This Update: Wednesday, January 10, 2018 7:04:47 AM EST America/New_York
            Next Update: Wednesday, January 10, 2018 9:00:00 AM EST America/New_York
            Revoked Certificates: 1-2 of 2
                Serial Number: 0x8226CB48
                Revocation Date: Monday, January 8, 2018 6:01:08 AM EST America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: Certificate_Hold
                    Identifier: Invalidity Date - 2.5.29.24
                        Critical: no 
                        Invalidity Date: Sat Jan 06 13:30:00 EST 2018
                Serial Number: 0x1D5144C
                Revocation Date: Monday, January 8, 2018 5:17:32 AM EST America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: CA_Compromise




Step4: Now again try to use same testing procedure.

# pki -v -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika11 --fullName geetika

com.netscape.certsrv.base.PKIException: Unauthorized
    at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
    at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
    at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
    at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46)
    at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47)
    at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46)
    at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64)
    at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
    at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
    at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)

Actual results:

Why the system, debug and Audit logs are not in sync.
 we face Invalid number format .

Expected results:

It should work

Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1532748
- Custom field type adjusted to None
- Custom field version adjusted to None

6 years ago

edewata wrote:

probably it fails at this code: new BigInteger(requestId);

it fails since the requestId is a hex string instead of decimal

the problem happens because the code is trying to parse a request ID with
value 0x8226CB4 as a bigint which expects a decimal value. I'm not sure why
it's doing that, that will need further investigation

here's the code:
* https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java#L281

Per PKI Team Meeting of 20180118 moving to 10.6

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: 10.5)

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3012

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata