-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.5.0, 6.0.0.6
-
Component/s: None
-
Labels:
-
Sprint:AM Sustaining Sprint 60
-
Story Points:3
-
Needs backport:No
-
Support Ticket IDs:
Bug description
Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0
How to reproduce the issue
jdk1.8.0_171
Setup a OOTB certificate module authenticate module but with option "Match Certificate in LDAP"
Create a user "sam" in the identity datastore.
Add a userCertificate attribute using the certificate samclient.crt
in the attachment.
Create a chain "mycertificatechain" with the above module.
Run the following curl command to test the module
#!/bin/sh #set -vx openam="http://openam.internal.example.com:8080" HEADER1="X-Client-Cert:$(cat /work/openam6.5.0-verify-certificate-37305/temp/certs/samclient.crt)" HEADER=`echo $HEADER1` echo "faking certificate header " $HEADER echo curl -k -s --header "$HEADER" --header "Accept-API-Version: resource=2.0, protocol=1.0" --request POST --header "Content-Type: application/json" "$openam/openam/json/authenticate?authIndexType=service&authIndexValue=mycertificatechain"
In Tomcat 's setenv.sh ( the truststore.jks 's password is password )
================
JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=certpath,ocsp" JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=SSL,handshake,trustmanager" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/work/openam6.5.0-verify-certificate-37305/truststore.jks" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=password"
Expected behaviour ( I did the setup in AM 6.0.0.5 first )
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA1withECDSA Variant: generic
certpath: jdkCAConstraints.permits(): SHA1
certpath: KeySizeConstraints.permits(): EC
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOTcertpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Feb 15 17:01:57 SGT 2019...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK; subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK; serial#: 18340821895127757165
certpath: -checker6 validation succeeded
certpath:
cert1 validation succeeded.certpath: Cert path validation succeeded. (PKIX validation algorithm)
certpath: --------------------------------------------------------------
{"tokenId":"AQIC5wM2LY4SfcwxQDnil0LNs2sj6kLq3d-9HT4V6-_7BXI.*AAJTSQACMDEAAlNLABQtNjE4MDk5ODAwMDQ2NDA0ODc4MAACUzEAAA..*","successUrl":"/openam/console"}
Current behaviour
]
Initial Policy OIDs: any
Validity Date: Fri Feb 15 17:08:30 SGT 2019
Signature Provider: null
Default Revocation Enabled: false
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: RejectKeySelector: [
X509CertSelector: [
Subject: CN=es512test,OU=OpenAM,O=ForgeRock,L=Bristol,ST=Bristol,C=UK
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]][Sun EC public key, 521 bits
public x coord: 1599989486213883276833874104985277428079501609933048057009701027192466597054704643392130176646226594897464777480565766875177928676231987138178710751410050541
public y coord: 4433022916535290282920472914997369102352505704708771248592769405032221810168598368778017205229781643585755638973355096210774597671657778153229501221310162013
parameters: secp521r1 [NIST P-521] (1.3.132.0.35)]]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore@f3c1792]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match: cert's maxPathLen is less than the min maxPathLen set by basicConstraints. (-1 < 0)
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again searching all certstores
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match: cert's maxPathLen is less than the min maxPathLen set by basicConstraints. (-1 < 0)
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: X509CertSelector.match(SN: 1
Issuer: CN=CA, O=SG CA, L=SG, C=SG
Subject: CN=sam, O=SG, L=SG, C=SG)
certpath: X509CertSelector.match: subject DNs don't match
certpath: NO - don't try this trustedCert
{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}
