diff --git a/.github/workflows/ipa-subca-test.yml b/.github/workflows/ipa-subca-test.yml index 438d54e1ce2..808cb7f82c4 100644 --- a/.github/workflows/ipa-subca-test.yml +++ b/.github/workflows/ipa-subca-test.yml @@ -96,11 +96,16 @@ jobs: docker exec ipa pki nss-cert-import \ --cert root-ca_signing.crt \ --trust CT,C,C \ + root-ca_signing + + docker exec ipa pki nss-cert-import \ + --cert ipa.crt \ ca_signing docker exec ipa pki pkcs12-import \ --pkcs12 /root/ca-agent.p12 \ --pkcs12-password Secret.123 + docker exec ipa pki -n ipa-ca-agent ca-user-show admin - name: Check lightweight CAs diff --git a/.github/workflows/server-https-nss-test.yml b/.github/workflows/server-https-nss-test.yml index b0fd075ce20..8b5aa18f1af 100644 --- a/.github/workflows/server-https-nss-test.yml +++ b/.github/workflows/server-https-nss-test.yml @@ -163,7 +163,7 @@ jobs: -o /dev/null \ https://pki.example.com:8443 - - name: Check PKI CLI with untrusted server cert + - name: Check PKI CLI with unknown issuer run: | # run PKI CLI but don't trust the cert echo n | docker exec -i client pki -U https://pki.example.com:8443 info \ @@ -178,7 +178,7 @@ jobs: # check stderr cat > expected << EOF - WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate' + WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate' Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE IOException: Unable to write to socket: Failed to write to socket: (-5987) Invalid function argument. EOF @@ -190,7 +190,7 @@ jobs: diff /dev/null output - - name: Check PKI CLI with untrusted server cert with wrong hostname + - name: Check PKI CLI with unknown issuer with wrong hostname run: | # run PKI CLI with wrong hostname echo n | docker exec -i client pki -U https://server.example.com:8443 info \ @@ -205,8 +205,8 @@ jobs: # check stderr cat > expected << EOF + WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate' WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki.example.com' indicates a common-name mismatch - WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate' Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE IOException: Unable to write to socket: Failed to write to socket: (-12276) Unable to communicate securely with peer: requested domain name does not match the server's certificate. EOF @@ -229,7 +229,7 @@ jobs: # check stderr cat > expected << EOF - WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate' + WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate' Trust this certificate (y/N)? EOF diff --git a/.github/workflows/server-https-pkcs12-test.yml b/.github/workflows/server-https-pkcs12-test.yml index c2be337d02e..6a892fac791 100644 --- a/.github/workflows/server-https-pkcs12-test.yml +++ b/.github/workflows/server-https-pkcs12-test.yml @@ -197,7 +197,7 @@ jobs: -o /dev/null \ https://pki.example.com:8443 - - name: Check PKI CLI with untrusted server cert + - name: Check PKI CLI with unknown issuer run: | # run PKI CLI but don't trust the cert echo n | docker exec -i client pki \ @@ -214,7 +214,7 @@ jobs: # check stderr cat > expected << EOF - WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate' + WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate' Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE IOException: Unable to write to socket: Failed to write to socket: (-5987) Invalid function argument. EOF @@ -226,7 +226,7 @@ jobs: diff /dev/null output - - name: Check PKI CLI with untrusted server cert and wrong hostname + - name: Check PKI CLI with unknown issuer and wrong hostname run: | # run PKI CLI with wrong hostname echo n | docker exec -i client pki \ @@ -243,8 +243,8 @@ jobs: # check stderr cat > expected << EOF + WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate' WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki.example.com' indicates a common-name mismatch - WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate' Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE IOException: Unable to write to socket: Failed to write to socket: (-12276) Unable to communicate securely with peer: requested domain name does not match the server's certificate. EOF @@ -269,7 +269,7 @@ jobs: # check stderr cat > expected << EOF - WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate' + WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate' Trust this certificate (y/N)? EOF diff --git a/.github/workflows/subca-basic-test.yml b/.github/workflows/subca-basic-test.yml index 8accb955898..4b9e9fbd4be 100644 --- a/.github/workflows/subca-basic-test.yml +++ b/.github/workflows/subca-basic-test.yml @@ -172,11 +172,16 @@ jobs: docker exec subordinate pki nss-cert-import \ --cert $SHARED/root-ca_signing.crt \ --trust CT,C,C \ + root-ca_signing + + docker exec subordinate pki nss-cert-import \ + --cert ca_signing.crt \ ca_signing docker exec subordinate pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin - name: Check cert requests in subordinate CA diff --git a/.github/workflows/subca-clone-hsm-test.yml b/.github/workflows/subca-clone-hsm-test.yml index a62cf72c68d..1013a175247 100644 --- a/.github/workflows/subca-clone-hsm-test.yml +++ b/.github/workflows/subca-clone-hsm-test.yml @@ -283,6 +283,7 @@ jobs: docker exec primary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec primary-subca pki -n caadmin ca-user-show caadmin - name: Set up secondary DS container diff --git a/.github/workflows/subca-clone-test.yml b/.github/workflows/subca-clone-test.yml index 86d7ba1dff2..7a71ccbca44 100644 --- a/.github/workflows/subca-clone-test.yml +++ b/.github/workflows/subca-clone-test.yml @@ -116,9 +116,14 @@ jobs: --trust CT,C,C \ root-ca_signing + docker exec primary-subca pki nss-cert-import \ + --cert $SHARED/subca_signing.crt \ + ca_signing + docker exec primary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec primary-subca pki -n caadmin ca-user-show caadmin - name: Export primary sub-CA certs @@ -246,9 +251,14 @@ jobs: --trust CT,C,C \ root-ca_signing + docker exec secondary-subca pki nss-cert-import \ + --cert $SHARED/subca_signing.crt \ + ca_signing + docker exec secondary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec secondary-subca pki -n caadmin ca-user-show caadmin - name: Check users in primary sub-CA and secondary sub-CA diff --git a/.github/workflows/subca-cmc-test.yml b/.github/workflows/subca-cmc-test.yml index 7f1711310b3..f67c147c841 100644 --- a/.github/workflows/subca-cmc-test.yml +++ b/.github/workflows/subca-cmc-test.yml @@ -187,10 +187,19 @@ jobs: - name: Verify subordinate CA admin cert run: | - docker exec subordinate pki client-cert-import ca_signing --ca-cert $SHARED/ca_signing.p7b + docker exec subordinate pki nss-cert-import \ + --cert $SHARED/root-ca_signing.crt \ + --trust CT,C,C \ + root-ca_signing + + docker exec subordinate pki nss-cert-import \ + --cert ca_signing.crt \ + ca_signing + docker exec subordinate pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec subordinate pki -n caadmin ca-user-show caadmin - name: Check cert requests in subordinate CA diff --git a/.github/workflows/subca-external-test.yml b/.github/workflows/subca-external-test.yml index 6d58655f18a..1c34c71f1b6 100644 --- a/.github/workflows/subca-external-test.yml +++ b/.github/workflows/subca-external-test.yml @@ -117,11 +117,16 @@ jobs: docker exec pki pki nss-cert-import \ --cert root-ca_signing.crt \ --trust CT,C,C \ + root-ca_signing + + docker exec pki pki nss-cert-import \ + --cert ca_signing.crt \ ca_signing docker exec pki pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec pki pki -n caadmin ca-user-show caadmin - name: Check cert requests in CA diff --git a/.github/workflows/subca-hsm-test.yml b/.github/workflows/subca-hsm-test.yml index 86bb3d6fcff..71b2b33cbd1 100644 --- a/.github/workflows/subca-hsm-test.yml +++ b/.github/workflows/subca-hsm-test.yml @@ -272,6 +272,7 @@ jobs: docker exec pki pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec pki pki -n caadmin ca-user-show caadmin - name: Check CA certs and requests diff --git a/base/common/src/main/java/com/netscape/certsrv/client/PKICertificateApprovalCallback.java b/base/common/src/main/java/com/netscape/certsrv/client/PKICertificateApprovalCallback.java index 795acee9e07..4c6e9835bdd 100644 --- a/base/common/src/main/java/com/netscape/certsrv/client/PKICertificateApprovalCallback.java +++ b/base/common/src/main/java/com/netscape/certsrv/client/PKICertificateApprovalCallback.java @@ -109,11 +109,17 @@ public String getMessage(org.mozilla.jss.crypto.X509Certificate serverCert, int } if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) { - return "UNTRUSTED ISSUER encountered on '" + + return "UNTRUSTED_ISSUER encountered on '" + serverCert.getSubjectDN() + "' indicates a non-trusted CA cert '" + serverCert.getIssuerDN() + "'"; } + if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) { + return "UNKNOWN_ISSUER encountered on '" + + serverCert.getSubjectDN() + "' indicates an unknown CA cert '" + + serverCert.getIssuerDN() + "'"; + } + if (reason == SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID) { return "CA_CERT_INVALID encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"; } @@ -126,7 +132,7 @@ public String getMessage(org.mozilla.jss.crypto.X509Certificate serverCert, int return "Unknown/undefined reason "+reason+" encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"; } - public boolean handleUntrustedIssuer(org.mozilla.jss.crypto.X509Certificate serverCert) { + public boolean trustCert(org.mozilla.jss.crypto.X509Certificate serverCert) { try { System.err.print("Trust this certificate (y/N)? "); @@ -172,7 +178,9 @@ public boolean approve(X509Certificate cert, ValidityStatus status) { // continue, or you can continue to make further tests of // your own to determine trustworthiness. Enumeration errors = status.getReasons(); + boolean approval = true; + boolean prompt = false; while (errors.hasMoreElements()) { SSLCertificateApprovalCallback.ValidityItem item = @@ -193,14 +201,13 @@ public boolean approve(X509Certificate cert, ValidityStatus status) { } else if (isIgnored(reason)) { // Ignore validity status - } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) { + } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER + || reason == SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) { // Issue a WARNING, but allow this process // to continue since we haven't installed a trusted CA // cert for this operation. System.err.println("WARNING: " + getMessage(serverCert, reason)); - if (!handleUntrustedIssuer(serverCert)) { - approval = false; - } + prompt = true; } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { // Issue a WARNING, but allow this process to continue on @@ -224,6 +231,10 @@ public boolean approve(X509Certificate cert, ValidityStatus status) { } } + if (prompt && !trustCert(serverCert)) { + approval = false; + } + return approval; } }