Addendum of a20141022.2
- Case Number: a20141022.2
- Claimant: Werner D. for Support
- Respondent: CAcert
- Complaint: Access to database needed to track down user interface error.
Ticket Number: s20140604.45
Contents
Introduction
This addendum contains the results of the research that was done into the background of the request filed by the SE.
Bug Tracker
There are 5 bugs (read: feature requests) in the Bug Tracker that express the desire to enhance the software with a possibility to revoke CAcert signatures on GPG/PGP keys. These bugs are listed in the table below. The first 4 bugs should be considered duplicates. The Bug Tracker specifically marks Bug 721 and Bug 1079 as duplicates. Bug 1210 differs from the other 4 listed in that it proposes to resolve 'the issue' by removing the date check on the GPG/PGP keys from the software.
Bug |
Summary |
Submitted |
Last Update |
Severity |
Resolution |
Status |
GPG Signature revocation system needed |
2005-10-21 |
2013-01-13 |
feature |
won't fix |
closed |
|
PGP Certifikat revoken / löschen |
2006-06-01 |
2012-12-20 |
feature |
open |
needs work |
|
No way to revoke sigs on a OpenPGP key |
2009-04-21 |
2012-12-20 |
feature |
open |
new |
|
GPG key can not be revoked |
2012-07-06 |
2014-07-16 |
minor |
open |
needs work |
|
Problem with Delete account procedure |
2013-09-14 |
2013-09-14 |
minor |
open |
new |
The fix of Bug 794 added the visibility of all certificates of an account to the SE console and came with a Revoke button. The Revoke button however only applies to the X.509 Client and Server certificates. A (CAcert signature on a) GPG/PGP key can't be revoked through the software.
Bug |
Summary |
Submitted |
Last Update |
Severity |
Resolution |
Status |
visibility over certificates for sysadm in account administration |
2009-11-27 |
2013-01-15 |
feature |
fixed |
closed |
Steps to reproduce the situation
The GPG/PGP signature lifetime on the test server is 1 year, contrary to the 1 day lifetime mentioned on the 03 Working With Testserver And Mgmt System Wiki page. This 1 year lifetime unfortunately renders further testing pointless until after the 'expiry date + 3 month CCA retention' period.
The result expected from this test therefore is an exact replica of situation the SE ran into. It should be impossible to delete the account as an SE and the following message should appear: 'The CCA retention time for at least one certificate is not over. Can't continue.'.
This is exactly the result that was achieved.
In a nutshell the steps to reproduce the situation comprise:
- create test account suitable for GPG/PGP key signature testing
- create GPG/PGP key for signing with CAcert GPG/PGP key
- sign GPG/PGP key with CAcert GPG/PGP key
- attempt to remove test account
The detailed test steps below have been conducted on a Ubuntu-16.04 LTS Gnome Desktop local host with Chrome 52.0.2743.116 (64-bit):
1. test server (cacert1.it-sls.de): create test account
- create account
ttester@testdom.tld Tess Tester DoB 1970-01-01
- create account
2. test manager (ca-mgr1.it-sls.de): set up test account for GPG/PGP key
login as ttester@testdom.tld
hand out 100 AP to ttester@testdom.tld to enable GPG/PGP key signing by CAcert GPG/PGP key
3. local host: create GPG/PGP key for test account
Real name: Tess Tester Email address: ttester@testdom.tld
- create GPG/PGP key for signing by CAcert
TMPDIR="$(mktemp -d -t cacert-XXXXXXXX)" && cd "${TMPDIR}" gpg2 --homedir "${TMPDIR}" --gen-key
pub rsa2048/PPPPPPPP 2016-07-31 [S] Key fingerprint = FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF uid [ultimate] Tess Tester <ttester@testdom.tld> sub rsa2048/KKKKKKKK 2016-07-31 []
- import CAcert GPG/PGP key into keyring
wget -O cacert.asc "https://cacert1.it-sls.de/certs/cacert.asc" gpg2 --homedir "${TMPDIR}" --import cacert.asc
gpg: key 77F751AC: public key "CAcert Test Server Signing Authority (for testing only!!!) <gpg@cacert.org>" imported gpg: Total number processed: 1 gpg: imported: 1
export out GPG/PGP key to local host file ttester_at_testdom.tld.asc
gpg2 --homedir "${TMPDIR}" --export --armor PPPPPPPP>ttester_at_testdom.tld.asc
4. test server (cacert1.it-sls.de): sign GPG/PGP key of test account with CAcert GPG/PGP key
login as ttester@testdom.tld
- go to Add GPG/PGP key and click it
copy and paste contents of local host file ttester_at_testdom.tld.asc into GUI
- mark accept CCA
- click Submit
copy and past result from GUI into local host file ttester_at_testdom.tld.signed.asc
5. test manager (ca-mgr1.it-sls.de): verify mail with signed GPG/PGP key
login as ttester@testdom.tld
- check confirmation mail from Support
Hi Tess, Your CAcert signed key for ttester@testdom.tld is available online at: https://www.cacert.org/gpg.php?id=############ To help improve the trust of CAcert in general, it's appreciated if you could also sign our key and upload it to a key server. Below is a copy of our primary key details: pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg@cacert.org> Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58 Best regards CAcert.org Support!
6. local host: import CAcert signature on GPG/PGP key
import file ttester_at_testdom.tld.signed.asc to sign GPG/PGP key
gpg2 --homedir "${TMPDIR}" --import ttester_at_testdom.tld.signed.asc
gpg: key PPPPPPPP: "Tess Tester <ttester@testdom.tld>" 1 new signature gpg: Total number processed: 1 gpg: new signatures: 1 gpg: marginals needed: 3 completes needed: 1 trust model: PGP gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
- verify our GPG/PGP keyring and signatures
gpg2 --homedir "${TMPDIR}" --with-sig-list --list-keys
/tmp/cacert-dBUZ2abt/pubring.kbx -------------------------------- pub rsa2048/PPPPPPPP 2016-07-31 [SC] uid [ultimate] Tess Tester <ttester@testdom.tld> sig 3 PPPPPPPP 2016-07-31 Tess Tester <ttester@testdom.tld> sig P 77F751AC 2016-07-31 CAcert Test Server Signing Authority (for testing only!!!) <gpg@cacert.org> sub rsa2048/SSSSSSSS 2016-07-31 [E] sig PPPPPPPP 2016-07-31 Tess Tester <ttester@testdom.tld> pub dsa1024/77F751AC 2011-05-17 [SC] [expires: 2031-05-12] uid [ unknown] CAcert Test Server Signing Authority (for testing only!!!) <gpg@cacert.org> sig 3 77F751AC 2011-05-17 CAcert Test Server Signing Authority (for testing only!!!) <gpg@cacert.org> sub elg2048/D2C66AC5 2011-05-17 [E] [expires: 2031-05-12] sig 77F751AC 2011-05-17 CAcert Test Server Signing Authority (for testing only!!!) <gpg@cacert.org>
7. test server (cacert1.it-sls.de): attempt to delete account as an SE
- login as SE
search account ttester@testdom.tld
- show account status using ticket nr. s20160731.1
GPG/PGP Certificates Status Email Address Expires Key ID Valid ttester@testdom.tld 2017-08-01 07:48:05 PPPPPPPPPPPPPPPP Certificates Cert Type: Total Valid Expired Revoked Latest Expire Server: None Client: None GPG: 1 1 0 2017-08-01 Org Server: None Org Client: None
- delete account ttester to a20160731.1.1 using ticket s20160731.1 shows expected result
The CCA retention time for at least one certificate is not over. Can't continue.
Code base
The following code snippet shows the origin of the 'The CCA retention time for at least one certificate is not over. Can't continue.' notification. The function blocking the account deletion by returning true in both the test case and the case described by the SE is the check_gpg_cert_running() function.
includes/account.php
3205 if (check_client_cert_running(intval($_REQUEST['userid']),1) || 3206 check_server_cert_running(intval($_REQUEST['userid']),1) || 3207 check_gpg_cert_running(intval($_REQUEST['userid']),1)) { 3208 showheader(_("My CAcert.org Account!")); 3209 printf(_("The CCA retention time for at least one certificate is not over. Can't continue.")); 3210 printf('<br/><a href="account.php?id=43&userid=' . intval($_REQUEST['userid']) . '">' . _('Back to previous page.') .'</a>'); 3211 showfooter(); 3212 exit; 3213 }
The snippet below describes the check_gpg_cert_running() function and shows it only looks at the CAcert signature expiry on a GPG/PGP key. The result of the function is entirely independent of the actual status of the CAcert signed GPG/PKP key itself.
includes/notary.inc.php
1230 function check_gpg_cert_running($uid,$cca=0){ 1231 //if $cca =0 if just expired, =1 if CCA retention +3 month should be obeyed 1232 // called from includes/account.php if($oldid == 50 && $process != "") 1233 $uid = intval($uid); 1234 if (0==$cca) { 1235 $query = "select 1 from `gpg` where `memid`='$uid' and `expire`>NOW()"; 1236 }else{ 1237 $query = "select 1 from `gpg` where `memid`='$uid' and `expire`>(NOW()-90*86400)"; 1238 } 1239 $res = mysql_query($query); 1240 return mysql_num_rows($res) > 0; 1241 }