When tried to use a revoked certificates observed below behavior.
Issue 1: system, debug and Audit logs are not in sync. Issue 2 : face Invalid number format . Issue 3: Since certificate is revoked, Why it is hitting unauthorized.Unauthorized should not come once we revoke certs.It should come once we change the permissions like removing from group.
Steps to Reproduce:
Step1 : # pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" client-cert-request "cn=testing,uid=testusercert" --profile caUserCert ----------------------------- Submitted certificate request ----------------------------- Request ID: 80000012 Type: enrollment Request Status: pending Operation Result: success # pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" cert-request-review 80000012 --action approve ------------------------------------- Approved certificate request 80000012 ------------------------------------- Request ID: 80000012 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x8226cb48 # pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-add test1 --fullName test1 ------------------ Added user "test1" ------------------ User ID: test1 Full name: test1 # pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-cert-add test1 --serial 0x8226cb48 -------------------------------------------------------------------------------------------------------------------------------- Added certificate "2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing" -------------------------------------------------------------------------------------------------------------------------------- Cert ID: 2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing Version: 2 Serial Number: 0x8226cb48 Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA Subject: UID=testusercert,CN=testing # pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Certificate Manager Agents" test1 -------------------------- Added group member "test1" -------------------------- User: test1 # pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Administrators" test1 -------------------------- Added group member "test1" -------------------------- User: test1 Testing ===== # pki -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika --fullName geetika -------------------- Added user "geetika" -------------------- User ID: geetika Full name: geetika Step 2: Revoke this certificate. Step3: Make sure it is part of your CA's CRL. CRL: Certificate revocation list contents Certificate Revocation List: Data: Signature Algorithm: SHA512withRSA Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA This Update: Wednesday, January 10, 2018 7:04:47 AM EST America/New_York Next Update: Wednesday, January 10, 2018 9:00:00 AM EST America/New_York Revoked Certificates: 1-2 of 2 Serial Number: 0x8226CB48 Revocation Date: Monday, January 8, 2018 6:01:08 AM EST America/New_York Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Certificate_Hold Identifier: Invalidity Date - 2.5.29.24 Critical: no Invalidity Date: Sat Jan 06 13:30:00 EST 2018 Serial Number: 0x1D5144C Revocation Date: Monday, January 8, 2018 5:17:32 AM EST America/New_York Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: CA_Compromise Step4: Now again try to use same testing procedure. # pki -v -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika11 --fullName geetika com.netscape.certsrv.base.PKIException: Unauthorized at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46) at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47) at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)
Actual results:
Why the system, debug and Audit logs are not in sync. we face Invalid number format .
Expected results:
It should work
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1532748 - Custom field type adjusted to None - Custom field version adjusted to None
edewata wrote:
probably it fails at this code: new BigInteger(requestId); it fails since the requestId is a hex string instead of decimal the problem happens because the code is trying to parse a request ID with value 0x8226CB4 as a bigint which expects a decimal value. I'm not sure why it's doing that, that will need further investigation
here's the code: * https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java#L281
Per PKI Team Meeting of 20180118 moving to 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3012
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.