When signed audit log is enabled in TPS, the log file contains at least one invalid signature.
Steps to reproduce: 1. Install TPS. 2. Enable signed audit log via TPS UI. 3. Restart server. 4. Create an audit.txt containing the path to the TPS audit log. 5. Verify the log with this command:
$ AuditVerify -d /var/lib/pki/pki-tomcat/alias \ -n "auditSigningCert cert-pki-tomcat TPS" \ -a audit.txt
Actual result: The tool reports one invalid signature:
====== File: /var/log/pki/pki-tomcat/tps/signedAudit/tps_cert-tps_audit ====== Line 26: VERIFICATION FAILED: signature of /var/log/pki/pki-tomcat/tps/signedAudit/tps_cert-tps_audit:1 to /var/log/pki/pki-tomcat/tps/signedAudit/tps_cert-tps_audit:25 Verification process complete. Valid signatures: 3 Invalid signatures: 1
Expected result: All signatures should be valid.
See also http://pki.fedoraproject.org/wiki/TPS_Audit_Log.
Per CS/DS Triage Meeting of 03/22/2016: 10.3
NOTE: If verified, notify mharmsen to create a corresponding Bugzilla Bug for QE.
What happens is that the signature starts calculating from it's in-memory audit log message when it signs, and since log signing is turned on mid-way (not from a fresh new log file), the previous content were not signed along for calculating the first signature (and rightfully so).
When AuditVerify is run, it does not know where the log signing begins, so it assumes it starts from the beginning of the file till the first signature. This is why the first signature (if signing is turned on mid-way) will always appear to be incorrect.
I think it can be ignored, or, as a workaround, try giving it a fresh empty log file when restarting the server with log signing.
Per my previous comment, closing this bug. Man page bug has been opened: https://fedorahosted.org/pki/ticket/2246 Man Page: AuditVerify
Note: I'm closing this as "wont fix" because potentially one could make the tool smarter by making it read up ALL the log before it before it calculates its first signature, but I think that would be an overkill especially if the log is large.
Metadata Update from @edewata: - Issue assigned to cfu - Issue set to the milestone: 10.3.0.b1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2337
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.