This patch adds the missing revocation check (and possibly validity
check) to
https://pagure.io/dogtagpki/issue/2617 Allow CA to process pre-signed
CMC non-signing certificate requests
The code that CMCUserSignedAuth originated from, CMCAuth, has a
confusing comment where it states:
// verify signer's certificate using the revocator
right above the CryptoManager.isCertValid() call. Which mislead me into
believing that the call checks for revocation status.
During work for CMC revocation (upcoming patch), I found out that is not
entirely the case. The call does not check for revocation status when I
used a revoked cert to sign the cmc request. I am adding revocation and
validity checks to make sure that the check is more complete.
thanks,
Christina
>From 380f7fda040cc5d394e34eead45ebb921532cc07 Mon Sep 17 00:00:00 2001
From: Christina Fu <c...@redhat.com>
Date: Mon, 5 Jun 2017 08:50:25 -0700
Subject: [PATCH] Ticket #2617 part2: add revocation check to signing cert
---
.../cms/authentication/CMCUserSignedAuth.java | 19 +++++++++++++++++++
.../authentication/CertUserDBAuthentication.java | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
index 2128c1e..a18c25e 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
+import java.security.cert.CertificateExpiredException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.util.Enumeration;
@@ -1076,7 +1077,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
si.verify(digest, id, pubK);
}
CMS.debug(method + "finished checking signature");
+
// verify signer's certificate using the revocator
+ // ...or not; I think it just checks usage and
+ // validity, but not revocation status
if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) {
CMS.debug(method + "CMC signature failed to be verified");
s.close();
@@ -1086,6 +1090,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
}
// At this point, the signature has been verified;
+ // now check revocation status of the cert
+ if (CMS.isRevoked(x509Certs)) {
+ CMS.debug(method + "CMC signing cert is a revoked certificate");
+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+ }
+ try { //do this again anyways
+ cert.checkValidity();
+ } catch (CertificateExpiredException e) {
+ CMS.debug(method + "CMC signing cert is an expired certificate");
+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+ } catch (Exception e) {
+ CMS.debug(method + e.toString());
+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+ }
+
IAuthToken tempToken = new AuthToken(null);
/*
netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
index 998d7e2..ae450fa 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
@@ -168,7 +168,7 @@ public class CertUserDBAuthentication implements IAuthManager, ICertUserDBAuthen
try {
user = (User) mCULocator.locateUser(certs);
} catch (EUsrGrpException e) {
- CMS.debug("CertUserDBAuthentication: cannot map certificate to any user");
+ CMS.debug("CertUserDBAuthentication: cannot map certificate to any user" + e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_AUTH_FAILED", x509Certs[0].getSerialNumber()
.toString(16), x509Certs[0].getSubjectDN().toString(), e.toString()));
throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
--
2.7.4
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel