You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When tried to use a revoked certificates observed below behavior.
Issue 1: system, debug and Audit logs are not in sync.
Issue 2 : face Invalid number format .
Issue 3: Since certificate is revoked, Why it is hitting unauthorized.Unauthorized should not come once we revoke certs.It should come once we change the permissions like removing from group.
Steps to Reproduce:
Step1 :
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" client-cert-request "cn=testing,uid=testusercert" --profile caUserCert
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 80000012
Type: enrollment
Request Status: pending
Operation Result: success
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" cert-request-review 80000012 --action approve
-------------------------------------
Approved certificate request 80000012
-------------------------------------
Request ID: 80000012
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x8226cb48
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-add test1 --fullName test1
------------------
Added user "test1"
------------------
User ID: test1
Full name: test1
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-cert-add test1 --serial 0x8226cb48
--------------------------------------------------------------------------------------------------------------------------------
Added certificate "2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing"
--------------------------------------------------------------------------------------------------------------------------------
Cert ID: 2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing
Version: 2
Serial Number: 0x8226cb48
Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
Subject: UID=testusercert,CN=testing
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Certificate Manager Agents" test1
--------------------------
Added group member "test1"
--------------------------
User: test1
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Administrators" test1
--------------------------
Added group member "test1"
--------------------------
User: test1
Testing
=====
# pki -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika --fullName geetika
--------------------
Added user "geetika"
--------------------
User ID: geetika
Full name: geetika
Step 2: Revoke this certificate.
Step3: Make sure it is part of your CA's CRL.
CRL:
Certificate revocation list contents
Certificate Revocation List:
Data:
Signature Algorithm: SHA512withRSA
Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
This Update: Wednesday, January 10, 2018 7:04:47 AM EST America/New_York
Next Update: Wednesday, January 10, 2018 9:00:00 AM EST America/New_York
Revoked Certificates: 1-2 of 2
Serial Number: 0x8226CB48
Revocation Date: Monday, January 8, 2018 6:01:08 AM EST America/New_York
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Certificate_Hold
Identifier: Invalidity Date - 2.5.29.24
Critical: no
Invalidity Date: Sat Jan 06 13:30:00 EST 2018
Serial Number: 0x1D5144C
Revocation Date: Monday, January 8, 2018 5:17:32 AM EST America/New_York
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: CA_Compromise
Step4: Now again try to use same testing procedure.
# pki -v -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika11 --fullName geetika
com.netscape.certsrv.base.PKIException: Unauthorized
at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46)
at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47)
at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)
Actual results:
Why the system, debug and Audit logs are not in sync.
we face Invalid number format .
Expected results:
It should work
The text was updated successfully, but these errors were encountered:
probably it fails at this code: new BigInteger(requestId);
it fails since the requestId is a hex string instead of decimal
the problem happens because the code is trying to parse a request ID with
value 0x8226CB4 as a bigint which expects a decimal value. I'm not sure why
it's doing that, that will need further investigation
This issue was migrated from Pagure Issue #2894. Originally filed by mharmsen (@mharmsen) on 2018-01-09 20:35:26:
When tried to use a revoked certificates observed below behavior.
Issue 1: system, debug and Audit logs are not in sync.
Issue 2 : face Invalid number format .
Issue 3: Since certificate is revoked, Why it is hitting unauthorized.Unauthorized should not come once we revoke certs.It should come once we change the permissions like removing from group.
Steps to Reproduce:
Actual results:
Expected results:
The text was updated successfully, but these errors were encountered: