Bug 1378275

Summary: two-step externally-signed CA installation fails due to missing AuthorityID
Product: Red Hat Enterprise Linux 7 Reporter: Fraser Tweedale <ftweedal>
Component: pki-coreAssignee: Fraser Tweedale <ftweedal>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.3CC: arubin, ekeck, ftweedal, gkapoor, mharmsen, nkinder
Target Milestone: rcKeywords: ZStream
Target Release: 7.3   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.4.0-1.el7 Doc Type: Bug Fix
Doc Text:
Certificate System does not start a Lightweight CA key replication during installation Previously, Certificate System incorrectly started a Lightweight CA key replication during a two-step installation. As a consequence, the installation failed and an error was displayed. With this update, the two-step installation does not start the Lightweight CA key replication and the installation completes successfully.
Story Points: ---
Clone Of:
: 1390321 (view as bug list) Environment:
Last Closed: 2017-08-01 22:46:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1390321    

Description Fraser Tweedale 2016-09-22 02:35:18 UTC
Description of problem:

During two-step installation of externally-signed CA, installation can fail because host authority's private key cannot be located (a temporary condition), causing LWCA key replication codepaths to fire, which throw a NullPointerException? because the host authority has not yet been assigned an AuthorityID. 


Version-Release number of selected component (if applicable):


How reproducible:

Always?


Steps to Reproduce:
1. install CA using two-step externally-signed process

Actual results:

Installation fails with following output:

======================
Log file: /var/log/pki/pki-ca-spawn.20160921163609.log
Loading deployment configuration from external-step2.cfg.
Installing CA into /var/lib/pki/pki-tomcat.

Installation failed:
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.36 - Error report</title><style type="text/css">H1 {font-famil
y:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;ba
ckground-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:whi
te;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,san
s-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; 
background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerExceptio
n</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerExcepti
on</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this
 request.</u></p><p><b>exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerExcep
tion
        org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
...
</pre><p><b>root cause</b></p><pre>java.lang.NullPointerException
        java.util.TreeMap.getEntry(TreeMap.java:347)
        java.util.TreeMap.containsKey(TreeMap.java:232)
        java.util.Collections$SynchronizedMap.containsKey(Collections.java:2578)
        com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1572)
        com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:525)
        com.netscape.cmscore.apps.CMSEngine.reinit(CMSEngine.java:1344)
        com.netscape.certsrv.apps.CMS.reinit(CMS.java:191)
        com.netscape.cms.servlet.csadmin.ConfigurationUtils.reInitSubsystem(ConfigurationUtils.java:2299)
        org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:181)
        org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:121)
...
</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.36 logs.</u><
/p><hr class="line"><h3>Apache Tomcat/8.0.36</h3></body></html>

Please check the CA logs in /var/log/pki/pki-tomcat/ca.
======================


Expected results:  installation succeeds


Additional info:

Comment 3 Matthew Harmsen 2016-09-22 17:10:45 UTC
Moving from rhel-7.3.0 ==> rhel-7.4.0.

Bug has been marked as RHEL 7.3 ZStream candidate.

Comment 4 Matthew Harmsen 2016-09-23 22:24:24 UTC
*** Bug 1378517 has been marked as a duplicate of this bug. ***

Comment 5 Matthew Harmsen 2016-09-26 16:19:41 UTC
On September 23, 2016, ftweedal checked-in the following:
* master (3ea93c9b4bc03f3d79550d8bdfd1447ffa25238d)
* DOGTAG_10_3_BRANCH (fca5fd053434d112998c814bc6d9424b6a5bac98)

Comment 10 Geetika Kapoor 2017-06-22 12:14:19 UTC
Hi Fraser,Do you think this much testing is sufficient or I need to cover some other test case too..
Thanks

ExternalCA:

Using Another pki instance:
---------------------------

1. Csr is generated using step1 installation.

--         Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign


2. Sign the request using RootCA(pki).

Test steps:
-----------

2.1. pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr
2.2. Approve it from CA Agent page.
2.3. Signed certificate Extensions: AKI for Externally signed certificate == SKI of Signing CA
SKI for Externally signed CA should be new and unique.


            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
                        88:4D:23:18
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        3B:EB:A1:26:93:ED:D6:81:16:68:BB:AC:15:15:88:9A:
                        97:EA:B4:87
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Access Description: 
                        Method #0: ocsp
                        Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp



2.4. Signing CA certificate Extensions: Since this is RootCA it's SKI == AKI


            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
                        88:4D:23:18
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
                        88:4D:23:18
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Access Description: 
                        Method #0: ocsp
                        Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp

3. Perform the last step where we need to do External CA installation.
pkispawn -f ca_2.cfg -s CA -vvv


This should give a successful installation.

4. Stop the ExternalCA process.Change the cipher and restart.
5. Make sure you are able to sign the certificate.

==========================================================================================================================================


ExternalCA with nssdb::

SECret.123
SECret.456


1. Self signed ExternalCA certificate of nssdb(external.crt) with no SKI:

Usage of SKI is optional in case of self signed certificate.

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign


2. Ca signing certificate signed by the External.crt

        X509v3 extensions:
            Authority Information Access: 
                OCSP - URI:http://pki1.example.com:8080/ca/ocsp

            X509v3 Subject Key Identifier: 
                9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36:43:F3:12:8F
            X509v3 Authority Key Identifier: 
                0.
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign


3. Proceed with step 2 installation.

User Signed certificate extension
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36:
                        43:F3:12:8F
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Access Description: 
                        Method #0: ocsp
                        Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27080/ca/ocsp
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key Encipherment 
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no 
                    Extended Key Usage: 
                        1.3.6.1.5.5.7.3.2
                        1.3.6.1.5.5.7.3.4

==================================================================================================================================

Comment 11 Fraser Tweedale 2017-06-22 23:36:33 UTC
Any two-step externally-signed CA installation is sufficient to
trigger the bug, so the above is sufficient.

Comment 12 Geetika Kapoor 2017-06-23 16:45:40 UTC
Moving bug to verified

Comment 15 errata-xmlrpc 2017-08-01 22:46:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110