Bug 1376117

Summary: Tinyca2 does not sign subordinate CA certificates properly
Product: [Fedora] Fedora EPEL Reporter: RW Shore <rws228>
Component: tinyca2Assignee: Paul Wouters <pwouters>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: el6CC: pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 15:05:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RW Shore 2016-09-14 18:12:18 UTC 
Description of problem:
When building a key for a subordinate CA, TinyCA2 ignores the digest selection and always uses SHA1.


Version-Release number of selected component (if applicable):
0.7.6 (most recent from EPEL 6) release 0.14.20070611.el6

How reproducible:
completely

Steps to Reproduce:
1. Build a root CA with SHA512 digest (say). Note that the certificate reports sha512WithRSA signing, as expected
2. Use this CA to build a subordinate CA with SHA512 digest (say). Note that the certificate reports sha1WithRSA signing, which is not expected.
3. Use the sub-CA to build a client key (say) with SHA512 digest. Note that the certificate reports sha512WithRSA signing, as expected.

Actual results:
Certificate for the sub-CA uses sha1WithRSA signing

Expected results:
Certificate for the sub-CA uses sha512WithRSA signing

Additional info:
I didn't try all the digest variations, but both SHA512 and SHA256 produced unexpected sha1WithRSA signing algorithms.
Comment 1 Ben Cotton 2020-11-05 16:47:15 UTC 
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is our policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version.

Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged  change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.
Comment 2 Ben Cotton 2020-11-30 15:05:59 UTC 
EPEL el6 changed to end-of-life (EOL) status on 2020-11-30. EPEL el6 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
EPEL please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.