[Bug 66009] New: M-TLS Fails, no user is found because "OID.2.5.4.5" is used as field name instead of "SERIALNUMBER", in Subject

Tue, 12 Apr 2022 02:07:56 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=66009

            Bug ID: 66009
           Summary: M-TLS Fails, no user is found because "OID.2.5.4.5" is
                    used as field name instead of "SERIALNUMBER", in
                    Subject
           Product: Tomcat 9
           Version: 9.0.62
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: bzapa...@dierdorp.nl
  Target Milestone: -----

We upgraded from Tomcat 9.0.60 to 9.0.62 and the Mutual-TLS failed.

Logging from Tomcat 9.0.60 (M-TLS Works)
01 org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request POST /speer/soap/services/somefunctionality
02 org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[MijnvfRealm]' against POST
/services/somefunctionality --> true
03 org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[MijnvfRealm]' against POST
/services/somefunctionality --> true
04 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
05 org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data
constraint already satisfied
06 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
07 org.apache.catalina.realm.CombinedRealm.authenticate Attempting to
authenticate user [CN=cn, O=o, L=l, ST=st, C=c,
SERIALNUMBER=00000001804415183000] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
08 org.apache.catalina.realm.RealmBase.authenticate Authenticating client
certificate chain
09 org.apache.catalina.realm.RealmBase.authenticate  Checking validity for
'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000'
10 org.apache.catalina.realm.RealmBase.authenticate  Checking validity for
'CN=cnCA, O=o, C=c'
11 org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509
certificate: [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000]
12 org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user
[CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
13 org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated
'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000' with type
'CLIENT_CERT'
14 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
accessControl()
15 org.apache.catalina.realm.RealmBase.hasResourcePermission   Checking roles
GenericPrincipal[CN=cn, O=o, L=l, ST=st, C=c,
SERIALNUMBER=00000001804415183000()]
16 org.apache.catalina.realm.RealmBase.hasRole Username [CN=cn, O=o, L=l,
ST=st, C=c, SERIALNUMBER=00000001804415183000] has role [correctUser]
17 org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: 
correctUser
18 org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully
passed all security constraints


Logging from Tomcat 9.0.62 (M-TLS fails, no/wrong user found)
01 org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request POST /speer/soap/services/somefunctionality
02 org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[MijnvfRealm]' against POST
/services/somefunctionality --> true
03 org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[MijnvfRealm]' against POST
/services/somefunctionality --> true
04 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
05 org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data
constraint already satisfied
06 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
07 org.apache.catalina.realm.CombinedRealm.authenticate Attempting to
authenticate user [CN=cn, O=o, L=l, ST=st, C=c,
SERIALNUMBER=00000001804415183000] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
08 org.apache.catalina.realm.RealmBase.authenticate Authenticating client
certificate chain
09 org.apache.catalina.realm.RealmBase.authenticate  Checking validity for
'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000'
10 org.apache.catalina.realm.RealmBase.authenticate  Checking validity for
'CN=cnCA, O=o, C=c'
11 org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509
certificate: [CN=cn, O=o, L=l, ST=st, C=c, OID.2.5.4.5=00000001804415183000]
12 org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate
user [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] with
realm [org.apache.catalina.realm.UserDatabaseRealm]
13 org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test


If you look at line 11, in both logging you can see that "OID.2.5.4.5" is used
in Tomcat 9.0.62 and "SERIALNUMBER" in Tomcat 9.0.60. While in all other
instances "SERIALNUMBER" is used.
Because of this correct user can not be found. 

Possible workaround: is to add the "OID.2.5.4.5" version also to the
"tomcat-users.xml" file (not tested yet, but I expect id to work). 

We are running Tomcat in Docker and are using the "tomcat:9-jdk11" container as
base image.
When we reverted to the container using Tomcat 9.0.60 it worked again.

Possible suspect is release 9.0.61, and the change in Coyote,
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to