As captured in review comments at https://github.com/freeipa/freeipa/pull/2990.
Related to: https://pagure.io/freeipa/issue/7835 and https://pagure.io/freeipa/issue/7901. The workarounds implement for #7835 do not handle some edge cases properly. In particular, certificates whose Subject DN does not contain a CN corresponding to the principal. This can be achieved with a profile modification e.g.
policyset.serverCertSet.1.default.params.name=UID=$request.req_subject_name.cn$, O=EXMAPLE.COM
Comments from the PR are quoted and my further comments follow.
Fraser:
this PR regresses in the subject DN corner case I mentioned above. We might need to go back to the drawing board on cert-find. OTOH the scenario that breaks this code is a corner case. It's not the end of the world if we ship this patch as-is. cert-find has a lot of limitations as it is, and this patch may help in the common case.
Christian:
We can either decide to ignore this edge case or somebody has to redesign and rewrite the entire cert_find API. The current implementation doesn't scale at all. Several common cases download all certificates from Dogtag, which puts a lot of stress on 389-DS, Dogtag, and the Python API. The BZ mentions > 100k certs. I have an idea how to optimize the most critical cases for cert revocation. We can use the fact that host certs, service certs, and user certs are always stored on the host, service, or user LDAP entry. For simple host, service, and user cert search, perform _ldap_search before _ca_search. In _ca_search only retrieve certificates with subject CNs or serial numbers of certs as returned by _ldap_search. There is one catch: It looks like Dogtag does not support list of serial numbers. :/
My response to above is that certs are not always stored in the principal's userCertificate attribute; it is profile-configurable whether to store the cert on the principal entry or not.
userCertificate
It is also clear that there is no perfect way to determine which certs in Dogtag truly "belong to" some principal. If the certificate is in the userCertificate entry, OK fair enough, we know.
And if the certificate has a KRB5PrincipalName SAN for the principal, OK, fair enough, that's solid - but there is no way to search for that apart from enumerating all certificates. And a cert issued for an IPA principal is not required to have the KRB5 SAN. So we should ignore that case.
KRB5PrincipalName
My preference is to limit searches for a principal's certificates to exactly those certificates in the principal's userCertificate attribute. Any other heuristic is either (a) prone to false positives (a BIG danger, particularly in revocation case), (b) prone to missing some certificates, (c) not performant with no clear path to making it performant, or some combination of (a) (b) and (c).
There are also some other known issues with cert-find, e.g. the --subject option only searches for CN. Aside from being misleading there is no way to search for other SDN attributes or a whole SDN.
cert-find
--subject
Other related tickets about cert-find or cert-revoke behaviour and performance:
The overall conclusion is that cert-find and related commands need an overhaul, which may include enhancements in Dogtag as well, to enable better / faster searching.
ipa user-mod --rename is another edge case.
ipa user-mod --rename
Create a user certificate
# openssl genrsa -out /root/testuser1.key Generating RSA private key, 2048 bit long modulus (2 primes) .........+++++ ................+++++ e is 65537 (0x010001) # ipa cert-request --csr-profile-id=userCert --principal=testuser1 --private-key=/root/testuser1.key --certificate-out=/tmp/testuser1.pem Issuing CA: ipa Certificate: MIIEKDCCAxCgAwIBAgIBFzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtJUEEuRVhBTVBMRTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDQwOTA2NTIzN1oXDTIxMDQwOTA2NTIzN1owKjEUMBIGA1UECgwLSVBBLkVYQU1QTEUxEjAQBgNVBAMMCXRlc3R1c2VyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOar1DMxq9iu9nyKYrWHtJiL5dcJu0fYLJkUnidXFM6FAOlHlLZPuB1Ie+Om/XOlJutdmxcWYmJfRyQhigq1LN/q5jnuU96KscgOeAYns74NlT270pRfW9R4ZEj3JnHfeF/lbkBfIKKbyclEhl8yU5tC+9cfwgHBjyRyvvWOJt19bIkdDx4xKzTGCse/NUKUyXjmb9uWZ1O3Hu6DFw1LPfIXlyJK4Igv8Q8J537CnaIEq/Blr8rRPIg8uglrdzMQgJFl5+TwNv54BF1NijcjxYdfv9G9l5zSien0Zd0xTQCdwqPeJh+/Am+8pimAbJs3WDIx8gBpJ+BlZNoMfO/3470CAwEAAaOCAUswggFHMB8GA1UdIwQYMBaAFHynwdoDyuMroTDSbtXBZgFKL1cCMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5pcGEuZXhhbXBsZS9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYDVR0fBG8wbTBroDOgMYYvaHR0cDovL2lwYS1jYS5pcGEuZXhhbXBsZS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFMSh8AmFYopKBlUF3HKOt3jipcpHMB8GA1UdEQQYMBaBFHRlc3R1c2VyQGlwYS5leGFtcGxlMA0GCSqGSIb3DQEBCwUAA4IBAQAKc0upNK1H50x8DktO0IMo4R6W2SnwQwQOzL/HvD81/NkUAibn6qhyyImBWwQx+klaALb/TSdOvNt+SNodnJg76wg1onTNQX5Y79AEOo3gASBMTDrFEpXopdWAmaJxNEm/t3RUperMXAJfl3gtp/SZwMmS9LJo7tSFRsxT9ZJSWJNBm+bAQmh6IRepBvnkvzG6T6Wa3cVIiE5y14CKCfIMLzWRm5b9bRWQREhAcNQHaE6D8am+4pQdN+2QrMJO5TdQyGmkv5OhUfNIanrt6X+p1gAkcsvYnnGosL4hEgde8TfZVoJk1iZcvN1LSX8nQB+bdH8f1J66yIyJ/Tjl/qUR Subject: CN=testuser1,O=IPA.EXAMPLE Subject email address: testuser@ipa.example Issuer: CN=Certificate Authority,O=IPA.EXAMPLE Not Before: Tue Apr 09 06:52:37 2019 UTC Not After: Fri Apr 09 06:52:37 2021 UTC Serial number: 23 Serial number (hex): 0x17
cert find for user finds the certificate and prints all metadata
# ipa cert-find --user=testuser1 --------------------- 1 certificate matched --------------------- Issuing CA: ipa Subject: CN=testuser1,O=IPA.EXAMPLE Issuer: CN=Certificate Authority,O=IPA.EXAMPLE Not Before: Tue Apr 09 08:52:37 2019 UTC Not After: Fri Apr 09 08:52:37 2021 UTC Serial number: 23 Serial number (hex): 0x17 Status: VALID Revoked: False ---------------------------- Number of entries returned 1 ----------------------------
Let's rename the user
# ipa user-mod --rename=testuser10 testuser1 ------------------------- Modified user "testuser1" ------------------------- User login: testuser10 First name: Test Last name: User Home directory: /home/testuser Login shell: /bin/sh Principal name: testuser10@IPA.EXAMPLE Principal alias: testuser10@IPA.EXAMPLE, testuser@IPA.EXAMPLE, testuser1@IPA.EXAMPLE Email address: testuser@ipa.example UID: 487600001 GID: 487600001 Certificate: MIIEKDCCAxCgAwIBAgIBFzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtJUEEuRVhBTVBMRTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDQwOTA2NTIzN1oXDTIxMDQwOTA2NTIzN1owKjEUMBIGA1UECgwLSVBBLkVYQU1QTEUxEjAQBgNVBAMMCXRlc3R1c2VyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOar1DMxq9iu9nyKYrWHtJiL5dcJu0fYLJkUnidXFM6FAOlHlLZPuB1Ie+Om/XOlJutdmxcWYmJfRyQhigq1LN/q5jnuU96KscgOeAYns74NlT270pRfW9R4ZEj3JnHfeF/lbkBfIKKbyclEhl8yU5tC+9cfwgHBjyRyvvWOJt19bIkdDx4xKzTGCse/NUKUyXjmb9uWZ1O3Hu6DFw1LPfIXlyJK4Igv8Q8J537CnaIEq/Blr8rRPIg8uglrdzMQgJFl5+TwNv54BF1NijcjxYdfv9G9l5zSien0Zd0xTQCdwqPeJh+/Am+8pimAbJs3WDIx8gBpJ+BlZNoMfO/3470CAwEAAaOCAUswggFHMB8GA1UdIwQYMBaAFHynwdoDyuMroTDSbtXBZgFKL1cCMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5pcGEuZXhhbXBsZS9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYDVR0fBG8wbTBroDOgMYYvaHR0cDovL2lwYS1jYS5pcGEuZXhhbXBsZS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFMSh8AmFYopKBlUF3HKOt3jipcpHMB8GA1UdEQQYMBaBFHRlc3R1c2VyQGlwYS5leGFtcGxlMA0GCSqGSIb3DQEBCwUAA4IBAQAKc0upNK1H50x8DktO0IMo4R6W2SnwQwQOzL/HvD81/NkUAibn6qhyyImBWwQx+klaALb/TSdOvNt+SNodnJg76wg1onTNQX5Y79AEOo3gASBMTDrFEpXopdWAmaJxNEm/t3RUperMXAJfl3gtp/SZwMmS9LJo7tSFRsxT9ZJSWJNBm+bAQmh6IRepBvnkvzG6T6Wa3cVIiE5y14CKCfIMLzWRm5b9bRWQREhAcNQHaE6D8am+4pQdN+2QrMJO5TdQyGmkv5OhUfNIanrt6X+p1gAkcsvYnnGosL4hEgde8TfZVoJk1iZcvN1LSX8nQB+bdH8f1J66yIyJ/Tjl/qUR Account disabled: False Password: True Member of groups: ipausers Member of HBAC rule: allow-testuser-ssh Kerberos keys available: True
Now search for testuser1 no longer returns anything -- just like expected
# ipa cert-find --user=testuser1 ---------------------- 0 certificates matched ---------------------- ---------------------------- Number of entries returned 0 ----------------------------
Search for testuser10 finds a certificate, but only prints serial number
# ipa cert-find --user=testuser10 --------------------- 1 certificate matched --------------------- Serial number: 23 Serial number (hex): 0x17 ---------------------------- Number of entries returned 1 ----------------------------
Login to comment on this ticket.