Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized and Invalid number format Exception during revoked certs usage #3012

Open
pki-bot opened this issue Oct 3, 2020 · 4 comments
Open

Unauthorized and Invalid number format Exception during revoked certs usage #3012

pki-bot opened this issue Oct 3, 2020 · 4 comments
Milestone
10.6

Comments

@pki-bot
Copy link

pki-bot commented Oct 3, 2020

This issue was migrated from Pagure Issue #2894. Originally filed by mharmsen (@mharmsen) on 2018-01-09 20:35:26:

When tried to use a revoked certificates observed below behavior.

Issue 1: system, debug and Audit logs are not in sync.
Issue 2 : face Invalid number format .
Issue 3: Since certificate is revoked, Why it is hitting unauthorized.Unauthorized should not come once we revoke certs.It should come once we change the permissions like removing from group.

Steps to Reproduce:

Step1 :

# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" client-cert-request "cn=testing,uid=testusercert" --profile caUserCert
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 80000012
  Type: enrollment
  Request Status: pending
  Operation Result: success

# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" cert-request-review 80000012  --action approve
-------------------------------------
Approved certificate request 80000012
-------------------------------------
  Request ID: 80000012
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x8226cb48
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-add test1 --fullName test1
------------------
Added user "test1"
------------------
  User ID: test1
  Full name: test1
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-user-cert-add test1 --serial 0x8226cb48
--------------------------------------------------------------------------------------------------------------------------------
Added certificate "2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing"
--------------------------------------------------------------------------------------------------------------------------------
  Cert ID: 2;2183580488;CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA;UID=testusercert,CN=testing
  Version: 2
  Serial Number: 0x8226cb48
  Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
  Subject: UID=testusercert,CN=testing
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Certificate Manager Agents" test1
--------------------------
Added group member "test1"
--------------------------
  User: test1
# pki -d . -c SECret.123 -P https -p 28443 -n "PKI CA Administrator" ca-group-member-add "Administrators" test1
--------------------------
Added group member "test1"
--------------------------
  User: test1

Testing
=====
# pki -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika --fullName geetika
--------------------
Added user "geetika"
--------------------
  User ID: geetika
  Full name: geetika

Step 2: Revoke this certificate.
Step3: Make sure it is part of your CA's CRL.

CRL:

Certificate revocation list contents

    Certificate Revocation List: 
        Data: 
            Signature Algorithm: SHA512withRSA
            Issuer: CN=CA Signing Certificate,OU=rhcs-0day-trial-75,O=Example-rhcs92-CA
            This Update: Wednesday, January 10, 2018 7:04:47 AM EST America/New_York
            Next Update: Wednesday, January 10, 2018 9:00:00 AM EST America/New_York
            Revoked Certificates: 1-2 of 2
                Serial Number: 0x8226CB48
                Revocation Date: Monday, January 8, 2018 6:01:08 AM EST America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: Certificate_Hold
                    Identifier: Invalidity Date - 2.5.29.24
                        Critical: no 
                        Invalidity Date: Sat Jan 06 13:30:00 EST 2018
                Serial Number: 0x1D5144C
                Revocation Date: Monday, January 8, 2018 5:17:32 AM EST America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: CA_Compromise




Step4: Now again try to use same testing procedure.

# pki -v -d . -c SECret.123 -P http -p 28080 -n "test1" ca-user-add geetika11 --fullName geetika

com.netscape.certsrv.base.PKIException: Unauthorized
    at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
    at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
    at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
    at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46)
    at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47)
    at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46)
    at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64)
    at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
    at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
    at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)

Actual results:

Why the system, debug and Audit logs are not in sync.
 we face Invalid number format .

Expected results:

It should work
@pki-bot pki-bot added this to the 10.6 milestone Oct 3, 2020
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-01-09 20:35:51

Metadata Update from @mharmsen:

  • Custom field component adjusted to None
  • Custom field feature adjusted to None
  • Custom field origin adjusted to None
  • Custom field proposedmilestone adjusted to None
  • Custom field proposedpriority adjusted to None
  • Custom field reviewer adjusted to None
  • Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1532748
  • Custom field type adjusted to None
  • Custom field version adjusted to None

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-01-09 20:37:49

edewata wrote:

probably it fails at this code: new BigInteger(requestId);

it fails since the requestId is a hex string instead of decimal

the problem happens because the code is trying to parse a request ID with
value 0x8226CB4 as a bigint which expects a decimal value. I'm not sure why
it's doing that, that will need further investigation

here's the code:

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-01-18 14:51:23

Per PKI Team Meeting of 20180118 moving to 10.6

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-01-18 14:51:24

Metadata Update from @mharmsen:

  • Issue set to the milestone: 10.6 (was: 10.5)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
10.6
Development

No branches or pull requests
1 participant
@pki-bot