[Pki-devel] [PATCH] Ticket-2617-part2-add-revocation-check-to-signing-ce.patch

Tue, 06 Jun 2017 10:28:10 -0700

This patch adds the missing revocation check (and possibly validity check) to
https://pagure.io/dogtagpki/issue/2617 Allow CA to process pre-signed CMC non-signing certificate requests 


The code that CMCUserSignedAuth originated from, CMCAuth, has a 
confusing comment where it states:


// verify signer's certificate using the revocator

right above the CryptoManager.isCertValid() call.  Which mislead me into 
believing that the call checks for revocation status.



During work for CMC revocation (upcoming patch), I found out that is not 
entirely the case.  The call does not check for revocation status when I 
used a revoked cert to sign the cmc request.  I am adding revocation and 
validity checks to make sure that the check is more complete.


thanks,

Christina


>From 380f7fda040cc5d394e34eead45ebb921532cc07 Mon Sep 17 00:00:00 2001
From: Christina Fu <c...@redhat.com>
Date: Mon, 5 Jun 2017 08:50:25 -0700
Subject: [PATCH] Ticket #2617 part2: add revocation check to signing cert

---
 .../cms/authentication/CMCUserSignedAuth.java         | 19 +++++++++++++++++++
 .../authentication/CertUserDBAuthentication.java      |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
index 2128c1e..a18c25e 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.math.BigInteger;
+import java.security.cert.CertificateExpiredException;
 import java.security.MessageDigest;
 import java.security.PublicKey;
 import java.util.Enumeration;
@@ -1076,7 +1077,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
                             si.verify(digest, id, pubK);
                         }
                         CMS.debug(method + "finished checking signature");
+
                         // verify signer's certificate using the revocator
+                        // ...or not;  I think it just checks usage and
+                        // validity, but not revocation status
                         if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) {
                             CMS.debug(method + "CMC signature failed to be verified");
                             s.close();
@@ -1086,6 +1090,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
                         }
                         // At this point, the signature has been verified;
 
+                        // now check revocation status of the cert
+                        if (CMS.isRevoked(x509Certs)) {
+                            CMS.debug(method + "CMC signing cert is a revoked certificate");
+                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                        }
+                        try { //do this again anyways
+                            cert.checkValidity();
+                        } catch (CertificateExpiredException e) {
+                            CMS.debug(method + "CMC signing cert is an expired certificate");
+                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                        } catch (Exception e) {
+                            CMS.debug(method + e.toString());
+                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                        }
+
                         IAuthToken tempToken = new AuthToken(null);
 /*
                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
index 998d7e2..ae450fa 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
@@ -168,7 +168,7 @@ public class CertUserDBAuthentication implements IAuthManager, ICertUserDBAuthen
         try {
             user = (User) mCULocator.locateUser(certs);
         } catch (EUsrGrpException e) {
-            CMS.debug("CertUserDBAuthentication: cannot map certificate to any user");
+            CMS.debug("CertUserDBAuthentication: cannot map certificate to any user" + e);
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_AUTH_FAILED", x509Certs[0].getSerialNumber()
                     .toString(16), x509Certs[0].getSubjectDN().toString(), e.toString()));
             throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
-- 
2.7.4


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel





















					Reply via email to