Missing CN causing NPE in CMCAuth

[pki-bot]

This issue was migrated from Pagure Issue #2834. Originally filed by mharmsen (@mharmsen) on 2017-10-13 18:21:20:

• Closed at 2017-10-19 20:13:37 as fixed
• Assigned to cfu (@cfu)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1497920

---

Looking for better logging for detecting issue faster.Audit and debug doesn't
have much information to troubleshoot the issue. As a user they mind need it.

1. If we are trying to sign a SubCA certificate using a non Agent certificate
   it fails with

<debug logs>
[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: ProfileSubmitCMCServlet:
authenticate: Invalid Credential.
[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: SignedAuditEventFactory:
create() message created for eventType=AUTH_FAIL
</debug logs>

2. Audit logs doesn't provide exact failure reason:

<audit logs>
0.http-bio-8443-exec-19 - [03/Oct/2017:02:24:22 EDT] [14] [6] [AuditEvent=ACCES
S_SESSION_ESTABLISH_SUCCESS][ClientIP=10.12.28.208][ServerIP=10.12.28.208][Subj
ectID=UID=testing,E=Geetikakk@redhat.com,OU=Test2,C=IN][Outcome=Success] access
session establish success
0.http-bio-8443-exec-19 - [03/Oct/2017:02:24:22 EDT] [14] [6] [AuditEvent=CMC_S
IGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Un
identified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent
pre-approved CMC request signature verification
0.http-bio-8443-exec-19 - [03/Oct/2017:02:24:22 EDT] [14] [6] [AuditEvent=CMC_S
IGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Un
identified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent
pre-approved CMC request signature verification
0.http-bio-8443-exec-19 - [03/Oct/2017:02:24:22 EDT] [14] [6] [AuditEvent=AUTH_
FAIL][SubjectID=null][Outcome=Failure][AuthMgr=CMCAuth][AttemptedCred=null]
authentication failure
</audit logs>

Steps to Reproduce:

1.Try to sign a SubCA certificate with a user certificate

Actual results:

Reason of failure is never listed in logs.

Expected results:

Reason should be visible in logs .
example: user certificate not have permissions to sign a subCA certificate

Additional info:

Debug logs with user certificate:
=================================

[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: CertUserDBAuthentication: cannot
map certificate to any userUser not found
[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: CMCAuth: Invalid Credential.
[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: SignedAuditEventFactory:
create() message created for eventType=CMC_SIGNED_REQUEST_SIG_VERIFY

[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: SignedAuditEventFactory:
create() message created for eventType=CMC_SIGNED_REQUEST_SIG_VERIFY

[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: ProfileSubmitCMCServlet:
authenticate: Invalid Credential.
[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: SignedAuditEventFactory:
create() message created for eventType=AUTH_FAIL

[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: CMCOutputTemplate:
getContentInfo: begins
[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: CMCOutputTemplate:
getContentInfo:  - done
[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: ProfileSubmitCMCServlet:
authentication error Invalid Credential.
[03/Oct/2017:02:29:50][http-bio-8443-exec-23]: CMSServlet: curDate=Tue Oct 03
02:29:50 EDT 2017 id=caProfileSubmitCMCFull time=26

Debug logs with CA certificate:
===============================
[03/Oct/2017:02:34:54][http-bio-8443-exec-18]: SignedAuditEventFactory:
create() message created for eventType=CMC_SIGNED_REQUEST_SIG_VERIFY

[03/Oct/2017:02:34:54][http-bio-8443-exec-18]: ProfileSubmitCMCServlet:
authenticate: setting auditSubjectID in SessionContext:caadmin
[03/Oct/2017:02:34:54][http-bio-8443-exec-18]: SignedAuditEventFactory:
create() message created for eventType=AUTH_SUCCESS

[03/Oct/2017:02:34:54][http-bio-8443-exec-18]: ProfileSubmitCMCServlet
authToken not null
[03/Oct/2017:02:34:54][http-bio-8443-exec-18]: CMSServlet: in auditSubjectID
[03/Oct/2017:02:34:54][http-bio-8443-exec-18]: CMSServlet: auditSubjectID
auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientC
ertProvider@328ac2ac, userid=caadmin,

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-13 18:22:29

Metadata Update from @mharmsen:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1497920
• Custom field type adjusted to None
• Custom field version adjusted to None
• Issue assigned to cfu
• Issue priority set to: blocker
• Issue set to the milestone: 10.5

[pki-bot]

Comment from cfu (@cfu) at 2017-10-19 20:13:38

commit 26deac3 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu cfu@redhat.com
Date: Thu Oct 19 15:53:31 2017 -0700

Ticket 2834-Missing CN causing NPE in CMCAuth

This patch eliminates the wrong assumption that all subjectDN contains the
CN component.

Change-Id: I2a9dafe073be0562d1356012fb517b146251523e

[pki-bot]

Comment from cfu (@cfu) at 2017-10-19 20:13:38

Metadata Update from @cfu:

• Issue close_status updated to: fixed
• Issue status updated to: Closed (was: Open)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-26 19:57:30

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.5.1 (was: 10.5)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-11-03 19:34:30

Metadata Update from @mharmsen:

• Custom field fixedinversion adjusted to pki-core-10.5.1-1.fc27