#1054 When revoking the certificate using caadmin cert, Agent Interface doesn't correctly display that the cert is revoked by caadmin
Closed: Fixed None Opened 9 years ago by mrniranjan.

When revoking the certificate using caadmin cert, Agent doesn't correctly display that the cert is revoked by caadmin

We have a automation script which revoked the cert using caadmin certificate. caadmin user cert is imported to /opt/rhqa_pki/certs_db directory

certutil -L -d /opt/rhqa_pki/certs_db/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-tomcat CA                             CT,C,C
CA_adminV                                                    u,u,u
CA_adminE                                                    u,u,u
CA_agentR                                                    u,u,u
CA_auditV                                                    u,u,u
PKI Administrator for lab.eng.pnq.redhat.com                 u,u,u
CA_adminR                                                    u,u,u
CA_agentV                                                    u,u,u
CA_agentE                                                    u,u,u
CA_operatorV                                                 u,u,u
[root@dhcp207-176 dogtag]# certutil -L -d /opt/rhqa_pki/certs_db/ -n "PKI Administrator for lab.eng.pnq.redhat.com" | less
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,O=lab.eng.pnq.redhat.com Security 
            Domain"
        Validity:
            Not Before: Thu Jun 19 11:29:11 2014
            Not After : Wed Jun 08 11:29:11 2016
        Subject: "CN=PKI Administrator,E=caadmin@lab.eng.pnq.redhat.com,O=lab
            .eng.pnq.redhat.com Security Domain"

Using the caadmin certificate , the automation script revokes the certificate approved by Agent.

As you can seem from the below script output, the script issues command:

pki -d /opt/rhqa_pki/certs_db -c redhat123 -n "PKI Administrator for lab.eng.pnq.redhat.com" cert-revoke 0x23f --force --reason unspecified

:: [   PASS   ] :: Running 'pki -d  /opt/rhqa_pki/certs_db                 -c redhat123                 -n "PKI Administrator for lab.eng.pnq.redhat.com"                 cert-revoke 0x23f --force --reason unspecified 1> /tmp/tmp.l1dXRkA7t8/exp_out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Revoked certificate "0x23f"'
:: [   PASS   ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Serial Number: 0x23f'
:: [   PASS   ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Issuer: CN=CA Signing Certificate,O=lab.eng.pnq.redhat.com Security Domain'
:: [   PASS   ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Status: REVOKED'
:: [ 05:06:50 ] ::  pki cert-find --revokedBy caadmin --minSerialNumber 0x23f
''':: [   PASS   ] :: Running 'pki cert-find --revokedBy caadmin --minSerialNumber 0x23f > /tmp/tmp.l1dXRkA7t8/cert_find_info' (Expected 0, got 0)'''
:: [   FAIL   ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Serial Number: 0x23f'
:: [   FAIL   ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Subject: UID=pkiuser50848,E=pkiuser50848@example.org,CN=pkiuser50848,OU=Engineering,O=Example.Inc,C=US'
:: [   FAIL   ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Number of entries'
:: [   FAIL   ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should not contain '0 entries found'

From the Agent Page when i view the cert(i.e when i view the certificate details), it displays that the cert was revoked by CA_agentV and not caadmin

Audit log also reports that it was CA_agent who revoked the cert.

0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:42 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=CA_agentV][Outcome=Success][aclResource=certServer.ca.request.profile][Op=approve] authorization success
0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:42 EDT] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=CA_agentV][Outcome=Success][Role=Certificate Manager Agents] assume privileged role
0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:43 EDT] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=CA_agentV][Outcome=Success][ReqID=761][InfoName=certificate][InfoValue=MIIEMzCCAxugAwIBAgICAj8wDQYJKoZIhvcNAQELBQAwUjEvMC0GA1UECgwmbGFiLmVuZy5wbnEucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTQwNjI1MDkwNjQwWhcNMTQxMjIyMDkwNjQwWjCBlzELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0V4YW1wbGUuSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEVMBMGA1UEAwwMcGtpdXNlcjUwODQ4MScwJQYJKoZIhvcNAQkBFhhwa2l1c2VyNTA4NDhAZXhhbXBsZS5vcmcxHDAaBgoJkiaJk/IsZAEBDAxwa2l1c2VyNTA4NDgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD97aAH+IuhFPSDBaKUuVdkQ6yUWeePyG5rMeRlIhRmA9XjG1cztbzw5Ry13C/E7cmM1kdUXytP+3Uuj8eHbYenIxZbEsOnQ0tj+PbqxS+g/wCBDdt2FCNVyzwx0mrNh3iLlMSJfVgZIm/b1nX3PpSWVKFksLwQ+8/qnEP5umY7jgtouTjoRdT3Uwu882dqjvGMvARt2jU+KIc+HyNaRGg/0XCj9WNREWJIisICPU/gGLIX8ktYaNtRtSNAIvO4cS4rigSRCv56CFSaIU3rn4EQpHuc1juEh7VzLRWOi7vTh2b8rnci7QqZ6e+cUKhJ4OZBzD3I5xGe8CKnSdgg0+JxAgMBAAGjgcwwgckwHwYDVR0jBBgwFoAUYlkcOUeKcqbOzR5hvSwi5eVCE14wUgYIKwYBBQUHAQEERjBEMEIGCCsGAQUFBzABhjZodHRwOi8vZGhjcDIwNy0xNzYubGFiLmVuZy5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAjBgNVHREEHDAagRhwa2l1c2VyNTA4NDhAZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAD4q4VPv8gQ/KPQwbnPEE8LZf81lJ6SE312Ou0EEZaOlNrf31UI+w2AE2im7nDJby65s8+BSDEniibKp1OhWIwOWQr80uIbUTDSuX+qjW2gxDt1y3PcUU0DZVwVX6D/vH99Qmqeajs7JX2XUICPrZsoBkDIZ9T9BmSLBMmZjg0KCs9dVBjeDTvoVLPj69RNdCVF4STitaZLrCW+vu/gANPnHt5+nc6/k+dErWWFqQ4QAOWnFPF0Qd1L402FSc+POok6ENyC/2XD1YlkSXW8pd3Rai2z3LRBIhyINjohZmWipGzEmobGlTGPym7haZ4ELLdPIuhsShRs5DLGnG32MNgY=] certificate request processed
0.http-bio-8443-exec-9 - [25/Jun/2014:05:06:49 EDT] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID=CA_agentV][Outcome=Success][ReqID=762][CertSerialNum=0x23f][RequestType=revoke] certificate revocation/unrevocation request made
0.http-bio-8443-exec-9 - [25/Jun/2014:05:06:49 EDT] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=CA_agentV][Outcome=Success][ReqID=762][CertSerialNum=0x23f][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed

Expected Result: Since the cert is revoked by caadmin, it should report that caadmin revoked the user and not CA_agentV


Also the above is not reproducible every time, It seems to display correctly at times, and at times it doesn't display the right user

Per CS/DS meeting of 06/30/2014, proposed Milestone: Dogtag 10.2.1

NOTE: Seems important from an auditing correctness perspective.

Per Dogtag 10.2.3 Triage meeting of 09/24/2014 - proposed Milestone: 10.2.2

Per 10.2.2 Triage meeting of 02/24/2015: 10.2.3

Fixed in master:

  • cb32779617947a16a0bfdc519a5ecbd0ae7019aa

Metadata Update from @mrniranjan:
- Issue assigned to edewata
- Issue set to the milestone: 10.2.4

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1619

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata