When revoking the certificate using caadmin cert, Agent Interface doesn't correctly display that the cert is revoked by caadmin

[pki-bot]

This issue was migrated from Pagure Issue #1054. Originally filed by mrniranjan (@mrniranjan) on 2014-06-25 11:17:13:

• Closed as Fixed
• Assigned to edewata (@edewata)

---

When revoking the certificate using caadmin cert, Agent doesn't correctly display that the cert is revoked by caadmin

We have a automation script which revoked the cert using caadmin certificate. caadmin user cert is imported to /opt/rhqa_pki/certs_db directory

certutil -L -d /opt/rhqa_pki/certs_db/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-tomcat CA                             CT,C,C
CA_adminV                                                    u,u,u
CA_adminE                                                    u,u,u
CA_agentR                                                    u,u,u
CA_auditV                                                    u,u,u
PKI Administrator for lab.eng.pnq.redhat.com                 u,u,u
CA_adminR                                                    u,u,u
CA_agentV                                                    u,u,u
CA_agentE                                                    u,u,u
CA_operatorV                                                 u,u,u

[root@dhcp207-176 dogtag]# certutil -L -d /opt/rhqa_pki/certs_db/ -n "PKI Administrator for lab.eng.pnq.redhat.com" | less
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
        Signature Algorithm: PKCS 1 SHA-256 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,O=lab.eng.pnq.redhat.com Security 
            Domain"
        Validity:
            Not Before: Thu Jun 19 11:29:11 2014
            Not After : Wed Jun 08 11:29:11 2016
        Subject: "CN=PKI Administrator,E=caadmin@lab.eng.pnq.redhat.com,O=lab
            .eng.pnq.redhat.com Security Domain"

Using the caadmin certificate , the automation script revokes the certificate approved by Agent.

As you can seem from the below script output, the script issues command:

pki -d /opt/rhqa_pki/certs_db -c redhat123 -n "PKI Administrator for lab.eng.pnq.redhat.com" cert-revoke 0x23f --force --reason unspecified

:: [   PASS   ] :: Running 'pki -d  /opt/rhqa_pki/certs_db                 -c redhat123                 -n "PKI Administrator for lab.eng.pnq.redhat.com"                 cert-revoke 0x23f --force --reason unspecified 1> /tmp/tmp.l1dXRkA7t8/exp_out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Revoked certificate "0x23f"'
:: [   PASS   ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Serial Number: 0x23f'
:: [   PASS   ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Issuer: CN=CA Signing Certificate,O=lab.eng.pnq.redhat.com Security Domain'
:: [   PASS   ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Status: REVOKED'
:: [ 05:06:50 ] ::  pki cert-find --revokedBy caadmin --minSerialNumber 0x23f
''':: [   PASS   ] :: Running 'pki cert-find --revokedBy caadmin --minSerialNumber 0x23f > /tmp/tmp.l1dXRkA7t8/cert_find_info' (Expected 0, got 0)'''
:: [   FAIL   ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Serial Number: 0x23f'
:: [   FAIL   ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Subject: UID=pkiuser50848,E=pkiuser50848@example.org,CN=pkiuser50848,OU=Engineering,O=Example.Inc,C=US'
:: [   FAIL   ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Number of entries'
:: [   FAIL   ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should not contain '0 entries found'

From the Agent Page when i view the cert(i.e when i view the certificate details), it displays that the cert was revoked by CA_agentV and not caadmin

Audit log also reports that it was CA_agent who revoked the cert.

0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:42 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=CA_agentV][Outcome=Success][aclResource=certServer.ca.request.profile][Op=approve] authorization success
0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:42 EDT] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=CA_agentV][Outcome=Success][Role=Certificate Manager Agents] assume privileged role
0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:43 EDT] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=CA_agentV][Outcome=Success][ReqID=761][InfoName=certificate][InfoValue=MIIEMzCCAxugAwIBAgICAj8wDQYJKoZIhvcNAQELBQAwUjEvMC0GA1UECgwmbGFiLmVuZy5wbnEucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTQwNjI1MDkwNjQwWhcNMTQxMjIyMDkwNjQwWjCBlzELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0V4YW1wbGUuSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEVMBMGA1UEAwwMcGtpdXNlcjUwODQ4MScwJQYJKoZIhvcNAQkBFhhwa2l1c2VyNTA4NDhAZXhhbXBsZS5vcmcxHDAaBgoJkiaJk/IsZAEBDAxwa2l1c2VyNTA4NDgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD97aAH+IuhFPSDBaKUuVdkQ6yUWeePyG5rMeRlIhRmA9XjG1cztbzw5Ry13C/E7cmM1kdUXytP+3Uuj8eHbYenIxZbEsOnQ0tj+PbqxS+g/wCBDdt2FCNVyzwx0mrNh3iLlMSJfVgZIm/b1nX3PpSWVKFksLwQ+8/qnEP5umY7jgtouTjoRdT3Uwu882dqjvGMvARt2jU+KIc+HyNaRGg/0XCj9WNREWJIisICPU/gGLIX8ktYaNtRtSNAIvO4cS4rigSRCv56CFSaIU3rn4EQpHuc1juEh7VzLRWOi7vTh2b8rnci7QqZ6e+cUKhJ4OZBzD3I5xGe8CKnSdgg0+JxAgMBAAGjgcwwgckwHwYDVR0jBBgwFoAUYlkcOUeKcqbOzR5hvSwi5eVCE14wUgYIKwYBBQUHAQEERjBEMEIGCCsGAQUFBzABhjZodHRwOi8vZGhjcDIwNy0xNzYubGFiLmVuZy5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAjBgNVHREEHDAagRhwa2l1c2VyNTA4NDhAZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAD4q4VPv8gQ/KPQwbnPEE8LZf81lJ6SE312Ou0EEZaOlNrf31UI+w2AE2im7nDJby65s8+BSDEniibKp1OhWIwOWQr80uIbUTDSuX+qjW2gxDt1y3PcUU0DZVwVX6D/vH99Qmqeajs7JX2XUICPrZsoBkDIZ9T9BmSLBMmZjg0KCs9dVBjeDTvoVLPj69RNdCVF4STitaZLrCW+vu/gANPnHt5+nc6/k+dErWWFqQ4QAOWnFPF0Qd1L402FSc+POok6ENyC/2XD1YlkSXW8pd3Rai2z3LRBIhyINjohZmWipGzEmobGlTGPym7haZ4ELLdPIuhsShRs5DLGnG32MNgY=] certificate request processed
0.http-bio-8443-exec-9 - [25/Jun/2014:05:06:49 EDT] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID=CA_agentV][Outcome=Success][ReqID=762][CertSerialNum=0x23f][RequestType=revoke] certificate revocation/unrevocation request made
0.http-bio-8443-exec-9 - [25/Jun/2014:05:06:49 EDT] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=CA_agentV][Outcome=Success][ReqID=762][CertSerialNum=0x23f][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed

Expected Result: Since the cert is revoked by caadmin, it should report that caadmin revoked the user and not CA_agentV

[pki-bot]

Comment from mrniranjan (@mrniranjan) at 2014-06-25 11:25:56

Also the above is not reproducible every time, It seems to display correctly at times, and at times it doesn't display the right user

[pki-bot]

Comment from mharmsen (@mharmsen) at 2014-06-30 20:50:11

Per CS/DS meeting of 06/30/2014, proposed Milestone: Dogtag 10.2.1

NOTE: Seems important from an auditing correctness perspective.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2014-09-24 20:20:32

Per Dogtag 10.2.3 Triage meeting of 09/24/2014 - proposed Milestone: 10.2.2

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-02-24 23:43:38

Per 10.2.2 Triage meeting of 02/24/2015: 10.2.3

[pki-bot]

Comment from edewata (@edewata) at 2015-05-05 21:21:04

Fixed in master:

• cb32779

[pki-bot]

Comment from mrniranjan (@mrniranjan) at 2017-02-27 14:12:24

Metadata Update from @mrniranjan:

• Issue assigned to edewata
• Issue set to the milestone: 10.2.4