-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.5.0, 6.0.0.6
-
Component/s: None
-
Labels:
-
Sprint:AM Sustaining Sprint 60
-
Story Points:3
-
Needs backport:No
-
Support Ticket IDs:
Bug description
Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0
How to reproduce the issue
jdk1.8.0_171
Setup a OOTB certificate module authenticate module but with option "Match Certificate in LDAP"
Create a user "sam" in the identity datastore.
Add a userCertificate attribute using the certificate samclient.crt in the attachment.
Create a chain "mycertificatechain" with the above module.
Run the following curl command to test the module
#!/bin/sh #set -vx openam="http://openam.internal.example.com:8080" HEADER1="X-Client-Cert:$(cat /work/openam6.5.0-verify-certificate-37305/temp/certs/samclient.crt)" HEADER=`echo $HEADER1` echo "faking certificate header " $HEADER echo curl -k -s --header "$HEADER" --header "Accept-API-Version: resource=2.0, protocol=1.0" --request POST --header "Content-Type: application/json" "$openam/openam/json/authenticate?authIndexType=service&authIndexValue=mycertificatechain"
In Tomcat 's setenv.sh ( the truststore.jks 's password is password )
================
JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=certpath,ocsp" JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=SSL,handshake,trustmanager" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/work/openam6.5.0-verify-certificate-37305/truststore.jks" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=password"
Expected behaviour ( I did the setup in AM 6.0.0.5 first )
certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA1withECDSA Variant: generic certpath: jdkCAConstraints.permits(): SHA1 certpath: KeySizeConstraints.permits(): EC certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1, maxPathLength = 1 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOTcertpath: PolicyChecker.processPolicies() no policies present in cert certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Fri Feb 15 17:01:57 SGT 2019... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK; subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK; serial#: 18340821895127757165 certpath: -checker6 validation succeeded certpath: cert1 validation succeeded.certpath: Cert path validation succeeded. (PKIX validation algorithm) certpath: -------------------------------------------------------------- {"tokenId":"AQIC5wM2LY4SfcwxQDnil0LNs2sj6kLq3d-9HT4V6-_7BXI.*AAJTSQACMDEAAlNLABQtNjE4MDk5ODAwMDQ2NDA0ODc4MAACUzEAAA..*","successUrl":"/openam/console"}
Current behaviour
] Initial Policy OIDs: any Validity Date: Fri Feb 15 17:08:30 SGT 2019 Signature Provider: null Default Revocation Enabled: false Explicit Policy Required: false Policy Mapping Inhibited: false Any Policy Inhibited: false Policy Qualifiers Rejected: true Target Cert Constraints: RejectKeySelector: [ X509CertSelector: [ Subject: CN=es512test,OU=OpenAM,O=ForgeRock,L=Bristol,ST=Bristol,C=UK matchAllSubjectAltNames flag: true Key Usage: KeyUsage [ Crl_Sign ]][Sun EC public key, 521 bits public x coord: 1599989486213883276833874104985277428079501609933048057009701027192466597054704643392130176646226594897464777480565766875177928676231987138178710751410050541 public y coord: 4433022916535290282920472914997369102352505704708771248592769405032221810168598368778017205229781643585755638973355096210774597671657778153229501221310162013 parameters: secp521r1 [NIST P-521] (1.3.132.0.35)]] Certification Path Checkers: [[]] CertStores: [[java.security.cert.CertStore@f3c1792]] ] Maximum Path Length: 5 ] ) certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK, State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: X509CertSelector.match(SN: fe87b056fbcbf16d Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK) certpath: X509CertSelector.match returning: true certpath: RejectKeySelector.match: bad key certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA certpath: X509CertSelector.match(SN: fe87b056fbcbf16d Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK) certpath: X509CertSelector.match returning: true certpath: RejectKeySelector.match: bad key certpath: X509CertSelector.match(SN: fe87b056fbcbf16d Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK) certpath: X509CertSelector.match: cert's maxPathLen is less than the min maxPathLen set by basicConstraints. (-1 < 0) certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again searching all certstores certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK, State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: X509CertSelector.match(SN: fe87b056fbcbf16d Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK) certpath: X509CertSelector.match returning: true certpath: RejectKeySelector.match: bad key certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA certpath: X509CertSelector.match(SN: fe87b056fbcbf16d Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK) certpath: X509CertSelector.match returning: true certpath: RejectKeySelector.match: bad key certpath: X509CertSelector.match(SN: fe87b056fbcbf16d Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK) certpath: X509CertSelector.match: cert's maxPathLen is less than the min maxPathLen set by basicConstraints. (-1 < 0) certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: X509CertSelector.match(SN: 1 Issuer: CN=CA, O=SG CA, L=SG, C=SG Subject: CN=sam, O=SG, L=SG, C=SG) certpath: X509CertSelector.match: subject DNs don't match certpath: NO - don't try this trustedCert {"code":401,"reason":"Unauthorized","message":"Authentication Failed"}