[OPENAM-14427] Certificate Module with option "Match Certificate in LDAP" does not work Created: 15/Feb/19  Updated: 05/Dec/19  Resolved: 21/Nov/19

Status: Closed
Project: OpenAM
Component/s: None
Affects Version/s: 6.5.0, 6.0.0.6
Fix Version/s: 13.5.3, 6.0.0.7, 6.5.1, 6.5.0.2, 5.5.2, 7.0.0

Type: Bug Priority: Major
Reporter: Sam Phua Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Screen Shot 2019-02-15 at 3.32.59 PM.png     File samclient.crt     Text File samclient.txt     File truststore.jks    
Issue Links:
Regression
Target Version/s:
Sprint: AM Sustaining Sprint 60
Story Points: 3
Needs backport:
No
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0

How to reproduce the issue

jdk1.8.0_171

Setup a OOTB certificate module authenticate module but with option "Match Certificate in LDAP"

 

Create a user "sam" in the identity datastore.

Add a userCertificate attribute using the certificate samclient.crt in the attachment.

Create a chain "mycertificatechain" with the above module.

Run the following curl command to test the module

#!/bin/sh
 #set -vx
 openam="http://openam.internal.example.com:8080"

HEADER1="X-Client-Cert:$(cat /work/openam6.5.0-verify-certificate-37305/temp/certs/samclient.crt)"
HEADER=`echo $HEADER1`
 echo "faking certificate header " $HEADER
 echo
 curl -k -s --header "$HEADER" --header "Accept-API-Version: resource=2.0, protocol=1.0" --request POST --header "Content-Type: application/json" "$openam/openam/json/authenticate?authIndexType=service&authIndexValue=mycertificatechain"

In Tomcat 's setenv.sh ( the truststore.jks 's password is password )

================

JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=certpath,ocsp"
 JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=SSL,handshake,trustmanager"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/work/openam6.5.0-verify-certificate-37305/truststore.jks"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=password"

 

Expected behaviour ( I did the setup in AM 6.0.0.5 first )
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA1withECDSA Variant: generic
certpath: jdkCAConstraints.permits(): SHA1
certpath: KeySizeConstraints.permits(): EC
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy  ROOTcertpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Feb 15 17:01:57 SGT 2019...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK; subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK; serial#: 18340821895127757165
certpath: -checker6 validation succeeded
certpath: 
cert1 validation succeeded.certpath: Cert path validation succeeded. (PKIX validation algorithm)
certpath: --------------------------------------------------------------

{"tokenId":"AQIC5wM2LY4SfcwxQDnil0LNs2sj6kLq3d-9HT4V6-_7BXI.*AAJTSQACMDEAAlNLABQtNjE4MDk5ODAwMDQ2NDA0ODc4MAACUzEAAA..*","successUrl":"/openam/console"}


Current behaviour
]
  Initial Policy OIDs: any
  Validity Date: Fri Feb 15 17:08:30 SGT 2019
  Signature Provider: null
  Default Revocation Enabled: false
  Explicit Policy Required: false
  Policy Mapping Inhibited: false
  Any Policy Inhibited: false
  Policy Qualifiers Rejected: true
  Target Cert Constraints: RejectKeySelector: [
X509CertSelector: [
  Subject: CN=es512test,OU=OpenAM,O=ForgeRock,L=Bristol,ST=Bristol,C=UK
  matchAllSubjectAltNames flag: true
  Key Usage: KeyUsage [
  Crl_Sign
]][Sun EC public key, 521 bits
  public x coord: 1599989486213883276833874104985277428079501609933048057009701027192466597054704643392130176646226594897464777480565766875177928676231987138178710751410050541
  public y coord: 4433022916535290282920472914997369102352505704708771248592769405032221810168598368778017205229781643585755638973355096210774597671657778153229501221310162013
  parameters: secp521r1 [NIST P-521] (1.3.132.0.35)]]
  Certification Path Checkers: [[]]
  CertStores: [[java.security.cert.CertStore@f3c1792]]
]  Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
  Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
  Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
  Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
  Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
  Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
  Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match: cert's maxPathLen is less than the min maxPathLen set by basicConstraints. (-1 < 0)
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again searching all certstores
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
  Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
  Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
  Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
  Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: fe87b056fbcbf16d
  Issuer: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
  Subject: CN=es512test, OU=OpenAM, O=ForgeRock, L=Bristol, ST=Bristol, C=UK)
certpath: X509CertSelector.match: cert's maxPathLen is less than the min maxPathLen set by basicConstraints. (-1 < 0)
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: X509CertSelector.match(SN: 1
  Issuer: CN=CA, O=SG CA, L=SG, C=SG
  Subject: CN=sam, O=SG, L=SG, C=SG)
certpath: X509CertSelector.match: subject DNs don't match
certpath: NO - don't try this trustedCert

{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}


 Comments   
Comment by Sam Phua [ 15/Feb/19 ]

It is easily to test with a working AM 6.0.0.5 first and then upgrade to 6.5.0 to observe the failure.

Comment by Jonathan Thomas [ 15/Feb/19 ]

Brining in for investigation.

As we are seeing Cert.doRevocationValidation: crls size = 0

I would have thought from here

}
if (debug.isDebugEnabled()) {
    debug.debug("Cert.doRevocationValidation: crls size = " +
              crls.size());
    if (crls.size() > 0) {
        debug.debug("CRL = " + crls.toString());
    }
}

AMCertPath certpath = new AMCertPath(crls); 

 

It would report the following in AMCertPath when it shows empty

if (debug.isDebugEnabled()) {
    debug.debug("AMCertPath:AMCertPath: no crl");
} 

 

Plus following debug


AMCertPath.verify: invoked  
Comment by Ľubomír Mlích [ 12/Apr/19 ]

Reproduced in ForgeRock Access Management 6.5.0.1 Build d239585362 (2019-January-15 06:37)
Verified as fixed in ForgeRock Access Management 6.5.0.2-RC1 Build a90937dad2 (2019-April-10 15:58)

Comment by Ľubomír Mlích [ 24/Apr/19 ]

Reproduced in ForgeRock Access Management 6.0.0.6 Build 92d60f32d1 (2018-November-26 06:25) - Authentication Failed
Verified as fixed in ForgeRock Access Management 6.0.0.7-M1 Build a1bc4f9d0b (2019-April-10 09:57) - Login successfull

Comment by Ľubomír Mlích [ 24/Apr/19 ]

I suppose there will be no more verification

Comment by Adam Heath [ 20/Nov/19 ]

Adding 5.5.2 target version as this issue is marked as caused by OPENAM-13429 which is currently included on the sustaining/5.5.x branch 

Comment by Ľubomír Mlích [ 05/Dec/19 ]

Reproduced in ForgeRock Access Management 5.5.2-M9 Build dd9501c3d1 (2019-October-31 09:27)
Verified as fixed in ForgeRock Access Management 5.5.2-M10 Build 8ec12ff64e (2019-December-03 10:51)

Generated at Wed Sep 23 23:44:35 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.