Bug 1024462
Summary: | IPA admin cert is created with SHA1 signing algorithm, should be SHA256 | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Ade Lee <alee> | ||||||||
Component: | pki-core | Assignee: | Matthew Harmsen <mharmsen> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||||||
Severity: | unspecified | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 6.6 | CC: | aakkiang, alee, cfu, ksiddiqu, nkinder, nsoman | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | pki-core-9.0.3-35.el6 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | 1024445 | Environment: | |||||||||
Last Closed: | 2014-10-14 07:36:37 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 1024445 | ||||||||||
Bug Blocks: | 1024461, 1061410 | ||||||||||
Attachments: |
|
Created attachment 910967 [details]
Patch to create admin cert with SHA256 (used in build)
This patch contains just the code changes present in the previous patch with the following exception:
In 'base/ca/shared/conf/CS.cfg.in', the following was changed from:
ca.profiles.defaultSigningAlgsAllowed==SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC
to:
ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC
Basically, the double '==' was replaced by a single '=', as I was concerned that this may be viewed as a part of the value string ('=SHA256withRSA' rather than 'SHA256withRSA').
Created attachment 910968 [details]
Patch to create admin cert with SHA256 (spec file used in build)
Verified pki and ipa version =================== [root@rhel66-master ~]# rpm -q pki-ca ipa-server pki-ca-9.0.3-36.el6.noarch ipa-server-3.0.0-42.el6.x86_64 [root@rhel66-master ~]# Snip from beaker automation =========================== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Uninstall for next test :: [ PASS ] :: Uninstalling ipa server for next test (Expected 0, got 0) :: [ PASS ] :: Making sure that /etc/sssd/sssd.conf does not exist. BZ 819982 (Expected 2, got 2) :: [ PASS ] :: Installing IPA Server (Expected 0, got 0) :: [ PASS ] :: File '/etc/pki-ca/CS.cfg' should contain 'ca.signing.defaultSigningAlgorithm=SHA256withRSA' :: [ PASS ] :: Running 'certutil -L -d /etc/pki/nssdb/ -n "ipa-ca-agent" > /tmp/bz1024462_output.xt' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/bz1024462_output.xt' should contain 'Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption' :: [ PASS ] :: IPA admin cert is created with SHA256withRSA signing algo :: [ PASS ] :: Running 'certutil -D -d /etc/pki/nssdb/ -n "ipa-ca-agent"' (Expected 0, got 0) :: [ LOG ] :: Duration: 10m 33s :: [ LOG ] :: Assertions: 8 good, 0 bad :: [ PASS ] :: RESULT: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1549.html |
Created attachment 818000 [details] patch to fix This is the patch to fix this issue. We will wait till the bug has been acked to apply it.