| Summary: | Spurious host authority entries created | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Fraser Tweedale <ftweedal> | |
| Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
| Priority: | urgent | |||
| Version: | 7.3 | CC: | arubin, ekeck, ftweedal, gkapoor, mharmsen, nkinder | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
PKI Server now correctly compares subject DNs during startup
Due to a bug in the routine that adds a Lightweight CA entry for the primary CA, PKI Server previously failed to compare subject distinguished names (DN) if it contained attributes using encodings other than "UTF8String". As a consequence, every time the primary CA started, an additional Lightweight CA entry was added. PKI Server now compares the subject DNs in canonical form. As a result, PKI server no longer adds additional Lightweight CA entries in the mentioned scenario.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1390322 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 22:46:01 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1390322 | |||
|
Description
Fraser Tweedale
2016-09-22 02:39:12 UTC
Moving from rhel-7.3.0 ==> rhel-7.4.0. Bug has been marked as RHEL 7.3 ZStream candidate. On September 23, 2016, ftweedal checked-in the following: * master (9043a08bef3723ca218ad7e5dd82be61166b5a1d) * DOGTAG_10_3_BRANCH (84606cc69390187b7f0f11fff41a372fd96f8f93) rpm -qa pki-ca pki-ca-10.4.1-10.el7.noarch Refer https://bugzilla.redhat.com/show_bug.cgi?id=1390322 for more details Test case 1: [root@pki1 ~]# curl -k https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27443/ca/rest/authorities <?xml version="1.0" encoding="UTF-8" standalone="yes"?><collection xmlns:ns2="http://www.w3.org/2005/Atom"><authority isHostAuthority="true" id="99c4df4e-4646-46c1-9934-0d7afb9d080b" issuerDN="CN=External CA,O=EXTERNAL" serial="4947" dn="CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor5,O=Example-Test-rhel-fips" enabled="true" description="Host authority" ready="true"/></collection> Test Case 2: SEQUENCE { 57 3: OBJECT IDENTIFIER commonName (2 5 4 3) 62 11: PrintableString 'External CA' : } : } : } 75 30: SEQUENCE { 77 13: UTCTime 23/06/2017 11:42:27 GMT 92 13: UTCTime 23/09/2017 11:42:27 GMT : } 107 100: SEQUENCE { 109 31: SET { 111 29: SEQUENCE { 113 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 118 22: PrintableString 'Example-Test-rhel-fips' : } : } 142 32: SET { 144 30: SEQUENCE { 146 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 151 23: PrintableString 'pki-ExternalCA-gkapoor5' : } : } 176 31: SET { 178 29: SEQUENCE { 180 3: OBJECT IDENTIFIER commonName (2 5 4 3) 185 22: PrintableString 'CA Signing Certificate' : } : } : } Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |