Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14427

Certificate Module with option "Match Certificate in LDAP" does not work

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0.6, 6.5.0
    • Fix Version/s: 6.5.1, 6.5.0.2, 6.0.0.7, 7.0.0
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 60
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0

      How to reproduce the issue

      jdk1.8.0_171

      Setup a OOTB certificate module authenticate module but with option "Match Certificate in LDAP"

       

      Create a user "sam" in the identity datastore.

      Add a userCertificate attribute using the certificate samclient.crt in the attachment.

      Create a chain "mycertificatechain" with the above module.

      Run the following curl command to test the module

      #!/bin/sh
       #set -vx
       openam="http://openam.internal.example.com:8080"
      
      HEADER1="X-Client-Cert:$(cat /work/openam6.5.0-verify-certificate-37305/temp/certs/samclient.crt)"
      HEADER=`echo $HEADER1`
       echo "faking certificate header " $HEADER
       echo
       curl -k -s --header "$HEADER" --header "Accept-API-Version: resource=2.0, protocol=1.0" --request POST --header "Content-Type: application/json" "$openam/openam/json/authenticate?authIndexType=service&authIndexValue=mycertificatechain"

      In Tomcat 's setenv.sh ( the truststore.jks 's password is password )

      ================

      JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=certpath,ocsp"
       JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=SSL,handshake,trustmanager"
      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/work/openam6.5.0-verify-certificate-37305/truststore.jks"
      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=password"
      

       

      Expected behaviour ( I did the setup in AM 6.0.0.5 first )
      certpath: --------------------------------------------------------------
      certpath: Executing PKIX certification path validation algorithm.
      certpath: Checking cert1 - Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
      certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
      certpath: -checker1 validation succeeded
      certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
      certpath: Constraints.permits(): SHA1withECDSA Variant: generic
      certpath: jdkCAConstraints.permits(): SHA1
      certpath: KeySizeConstraints.permits(): EC
      certpath: -checker2 validation succeeded
      certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
      certpath: -checker3 validation succeeded
      certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
      certpath: ---checking basic constraints...
      certpath: i = 1, maxPathLength = 1
      certpath: after processing, maxPathLength = 1
      certpath: basic constraints verified.
      certpath: ---checking name constraints...
      certpath: prevNC = null, newNC = null
      certpath: mergedNC = null
      certpath: name constraints verified.
      certpath: -checker4 validation succeeded
      certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
      certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
      certpath: PolicyChecker.checkPolicy() certIndex = 1
      certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
      certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
      certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
      certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy  ROOTcertpath: PolicyChecker.processPolicies() no policies present in cert
      certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
      certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
      certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
      certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
      certpath: PolicyChecker.checkPolicy() certificate policies verified
      certpath: -checker5 validation succeeded
      certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
      certpath: ---checking validity:Fri Feb 15 17:01:57 SGT 2019...
      certpath: validity verified.
      certpath: ---checking subject/issuer name chaining...
      certpath: subject/issuer name chaining verified.
      certpath: ---checking signature...
      certpath: signature verified.
      certpath: BasicChecker.updateState issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK; subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK; serial#: 18340821895127757165
      certpath: -checker6 validation succeeded
      certpath: 
      cert1 validation succeeded.certpath: Cert path validation succeeded. (PKIX validation algorithm)
      certpath: --------------------------------------------------------------
      
      {"tokenId":"AQIC5wM2LY4SfcwxQDnil0LNs2sj6kLq3d-9HT4V6-_7BXI.*AAJTSQACMDEAAlNLABQtNjE4MDk5ODAwMDQ2NDA0ODc4MAACUzEAAA..*","successUrl":"/openam/console"}
      
      
      
      Current behaviour
      ]
        Initial Policy OIDs: any
        Validity Date: Fri Feb 15 17:08:30 SGT 2019
        Signature Provider: null
        Default Revocation Enabled: false
        Explicit Policy Required: false
        Policy Mapping Inhibited: false
        Any Policy Inhibited: false
        Policy Qualifiers Rejected: true
        Target Cert Constraints: RejectKeySelector: [
      X509CertSelector: [
        Subject: CN=es512test,OU=OpenAM,O=ForgeRock,L=Bristol,ST=Bristol,C=UK
        matchAllSubjectAltNames flag: true
        Key Usage: KeyUsage [
        Crl_Sign
      ]][Sun EC public key, 521 bits
        public x coord: 1599989486213883276833874104985277428079501609933048057009701027192466597054704643392130176646226594897464777480565766875177928676231987138178710751410050541
        public y coord: 4433022916535290282920472914997369102352505704708771248592769405032221810168598368778017205229781643585755638973355096210774597671657778153229501221310162013
        parameters: secp521r1 [NIST P-521] (1.3.132.0.35)]]
        Certification Path Checkers: [[]]
        CertStores: [[java.security.cert.CertStore@f3c1792]]
      ]  Maximum Path Length: 5
      ]
      )
      certpath: SunCertPathBuilder.buildForward()...
      certpath: SunCertPathBuilder.depthFirstSearchForward(CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK, State [
        issuerDN of last cert: null
        traversedCACerts: 0
        init: true
        keyParamsNeeded: false
        subjectNamesTraversed: 
      []]
      )
      certpath: ForwardBuilder.getMatchingCerts()...
      certpath: ForwardBuilder.getMatchingEECerts()...
      certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
        Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
        Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
      certpath: X509CertSelector.match returning: true
      certpath: RejectKeySelector.match: bad key
      certpath: ForwardBuilder.getMatchingCACerts()...
      certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
      certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
        Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
        Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
      certpath: X509CertSelector.match returning: true
      certpath: RejectKeySelector.match: bad key
      certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
        Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
        Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
      certpath: X509CertSelector.match: cert's maxPathLen is less than the min maxPathLen set by basicConstraints. (-1 < 0)
      certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
      certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
      certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again searching all certstores
      certpath: SunCertPathBuilder.buildForward()...
      certpath: SunCertPathBuilder.depthFirstSearchForward(CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK, State [
        issuerDN of last cert: null
        traversedCACerts: 0
        init: true
        keyParamsNeeded: false
        subjectNamesTraversed: 
      []]
      )
      certpath: ForwardBuilder.getMatchingCerts()...
      certpath: ForwardBuilder.getMatchingEECerts()...
      certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
        Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
        Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
      certpath: X509CertSelector.match returning: true
      certpath: RejectKeySelector.match: bad key
      certpath: ForwardBuilder.getMatchingCACerts()...
      certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
      certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
        Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
        Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
      certpath: X509CertSelector.match returning: true
      certpath: RejectKeySelector.match: bad key
      certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
        Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
        Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
      certpath: X509CertSelector.match: cert's maxPathLen is less than the min maxPathLen set by basicConstraints. (-1 < 0)
      certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
      certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
      certpath: X509CertSelector.match(SN: 1
        Issuer: CN=CA, O=SG CA, L=SG, C=SG
        Subject: CN=sam, O=SG, L=SG, C=SG)
      certpath: X509CertSelector.match: subject DNs don't match
      certpath: NO - don't try this trustedCert
      
      {"code":401,"reason":"Unauthorized","message":"Authentication Failed"}

        Attachments

        1. samclient.crt
          1 kB
        2. samclient.txt
          1 kB
        3. Screen Shot 2019-02-15 at 3.32.59 PM.png
          Screen Shot 2019-02-15 at 3.32.59 PM.png
          126 kB
        4. truststore.jks
          2 kB

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              sam.phua Sam Phua
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: