Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.0.1RC3: certificate based authentication failes as attributes are not correctly lowercased #714

Closed
crackytsi opened this issue Sep 6, 2018 · 0 comments
Closed

3.0.1RC3: certificate based authentication failes as attributes are not correctly lowercased #714

crackytsi opened this issue Sep 6, 2018 · 0 comments
Assignees
@To-om
Labels
bug
Milestone
3.1.0

Comments

@crackytsi
Copy link

crackytsi commented Sep 6, 2018
edited
Loading

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian
OS version (client) Seven using Chrome Browser
TheHive version / git hash 3.1.0 RC3
Package Type DEB

Description

Certificate based authentication still failes in 2 scenarios:

  1. If you configure
    auth.pki.certificateField = upn

see UPN is not correctly translated in lowercase:

2018-09-06 16:08:02,881 [INFO] from play.core.server.AkkaHttpServer in main - Enabling HTTP/2 on Akka HTTP server...
2018-09-06 16:08:02,884 [INFO] from play.core.server.AkkaHttpServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9080
2018-09-06 16:08:02,886 [INFO] from play.core.server.AkkaHttpServer in main - Listening for HTTPS on /0:0:0:0:0:0:0:0:9443
2018-09-06 16:08:16,271 [DEBUG] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Client certificate is : 1.2.840.113549.1.9.1=#161f4368726973746f706865722e5261636b7940742d73797374656d732e636f6d,CN=Firstname Lastname,OU=C-123162,OU=Employee,OU=Person,O=EXMPL;CN=TestCa1,OU=Trust ,O=Example Ing,C=UK
2018-09-06 16:08:16,279 [DEBUG] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Client certificate subject is O=EXMPL,OU=Person,OU=Employee,OU=C-123162,CN=Firstname Lastname,1.2.840.113549.1.9.1=[B@5ed1ce5f
2018-09-06 16:08:16,283 [DEBUG] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Field upn not found in certificate subject
2018-09-06 16:08:16,285 [DEBUG] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Subject alternative name is [0, [B@cc3ce75],[1, Firstname.Lastname@example.com]
2018-09-06 16:08:16,413 [DEBUG] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Found user id Firstname.Lastname@example.com in san:upn
2018-09-06 16:08:16,460 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Authentication failure:
        session: AuthenticationError User session not found
        pki: NotFoundError user Firstname.Lastname@example.com not found
        key: AuthenticationError Authentication header not found
        basic: AuthenticationError Authentication header not found
        init: AuthenticationError Use of initial user is forbidden because users exist in database
2018-09-06 16:08:16,473 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-17 - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
        at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:236)
  1. If you configure
    auth.pki.certificateField = cn
    instead of
    auth.pki.certificateField = CN

(and certificate dn contains upper cn instead of lower one).
See logs here

2018-09-06 15:26:56,443 [DEBUG] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-15 - Field cn not found in certificate subject
2018-09-06 15:26:56,446 [DEBUG] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-15 - Subject alternative name is [0, [B@614b6f54],[1, Firstname.Lastname@example.com]
2018-09-06 15:26:56,528 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-15 - Authentication failure:
        session: AuthenticationError User session not found
        pki: AuthenticationError Certificate doesn't contain user information
        key: AuthenticationError Authentication header not found
        basic: AuthenticationError Authentication header not found
        init: AuthenticationError Use of initial user is forbidden because users exist in database
2018-09-06 15:26:56,548 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-15 - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
@crackytsi crackytsi changed the title 3.0.1RC3 3.0.1RC3: certificate based authentication failes as attributes are not correctly lowercased Sep 6, 2018
@To-om To-om mentioned this issue Sep 14, 2018
Closed
@To-om To-om self-assigned this Sep 14, 2018
@To-om To-om added this to the 3.1.0 milestone Sep 14, 2018
@To-om To-om added the bug label Sep 14, 2018
@To-om To-om closed this as completed Sep 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug
Projects
None yet
Milestone
3.1.0
Development

No branches or pull requests
2 participants
@crackytsi @To-om