Bug 1444432

Summary: CA-less pkinit not installable with --pkinit-cert-file option
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Michal Reznik <mreznik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: ksiddiqu, mbasti, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-14.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:48:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
bz1444432 none

Description Petr Vobornik 2017-04-21 10:26:19 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6869

When installing PKINIT cert in CA-less installation and using the `--pkinit-cert-file` option, the installation always fails.

The reason the installation fails is that we require full chain in the `.p12` file that's fed to the above option. The file gets correctly exported to a PEM bundle in '/var/kerberos/krb5kdc/kdc.crt' but it will contain multiple certificates. OpenSSL does not know how to deal with this, it assumes there's only one certificate in the PEM file. If the first certificate is a CA cert, that will cause the installation to crash as it will be unable to test anonymous pkinit.

Indeed, `kinit -n` gives:
```
...
[48537] 1492084647.997132: Preauth module pkinit (147) (info) returned: 0/Success
[48537] 1492084647.997365: PKINIT OpenSSL error: Failed to verify CMS message
[48537] 1492084647.997387: PKINIT OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
[48537] 1492084647.997394: PKINIT OpenSSL error: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
[48537] 1492084647.997403: PKINIT OpenSSL error: error:2E09809E:CMS routines:CMS_SignerInfo_verify:verification failure
[48537] 1492084647.997427: PKINIT client could not verify DH reply
[48537] 1492084647.997437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: block type is not 01
kinit: Invalid signature while getting initial credentials
```
Comment 2 Petr Vobornik 2017-04-21 10:26:39 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6869
Comment 3 Martin Bašti 2017-05-19 10:32:49 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/235265a5f5436148dd8d7e63b7e3928689796560
https://pagure.io/freeipa/c/f0442a2d0ed54abe6567fce6d99fd31f7c6c7883
https://pagure.io/freeipa/c/52730c786f6bb11aa7992b11fa0f5c94c90f9eb8
https://pagure.io/freeipa/c/01a7416d305ddb11d5b83c99afbacf8ba854c148
https://pagure.io/freeipa/c/11b8a3434655932fa73f05d4bd864bed0194035c
https://pagure.io/freeipa/c/4d36cbf6ad412822b8fb029f517f9228e2c8d4ee
https://pagure.io/freeipa/c/f769045f0ae9c5fdc651e03c0c96af9cdec8f298
https://pagure.io/freeipa/c/b9fd123d61fa7adda090c05216906ba0cf4779a9
https://pagure.io/freeipa/c/0c5b2c42bf52dc75ecf9d95036ca8517670877d6
https://pagure.io/freeipa/c/cc572378a69a7e4d18b7297b7fa54e2fe8e33b2f
https://pagure.io/freeipa/c/3b5dbf7cdb4c03260057c8f7a2abd5c5712eca41
https://pagure.io/freeipa/c/b3855704f479eaf122139189b762b943b2dcc0fc
https://pagure.io/freeipa/c/9ea764ecf5c3118df0917d94c4940b4ee38b3a31
https://pagure.io/freeipa/c/96ca62f81d3505b050eb9b9d71d4fc4c18e1535e
Comment 4 Martin Bašti 2017-05-19 10:34:33 UTC 
ipa-4-5:
https://pagure.io/freeipa/c/6338dbe47313a70b93bbf53855db451145d24544
https://pagure.io/freeipa/c/749d504f4335c375cf86bf44814177f03be61b52
https://pagure.io/freeipa/c/e68812331526269f3b556c339f65077f649110d3
https://pagure.io/freeipa/c/16b295c5a8580accfbbab016f3cc4eef0a704163
https://pagure.io/freeipa/c/63c4cbd619f81f16e0c08d3786b69d348c9dcfd7
https://pagure.io/freeipa/c/523a82652e2f95704a07ac25cc829a0782b9e22a
https://pagure.io/freeipa/c/b83ebe0e3ff692de37f28834d09a423d04e6ad68
https://pagure.io/freeipa/c/5cf5395eb51ff5ec8164075a5ee573abe76bc15e
https://pagure.io/freeipa/c/e6497f099c09dfa60bd6ae98e4692e99b7381752
https://pagure.io/freeipa/c/bc8deb118dce93fc380793c75090d9108ce61541
https://pagure.io/freeipa/c/cbdf6693cc8707dda9c1db42fb05dc5b1d70b7af
https://pagure.io/freeipa/c/77ef29ef30086c714025d97328507bd51e3f0421
https://pagure.io/freeipa/c/6f900ec60a426a2b97823d4612949a953fa6d49b
https://pagure.io/freeipa/c/e27b3e139ffff16f6e238ef6f9ff7d2ed02492bc
Comment 6 Michal Reznik 2017-06-07 12:29:08 UTC 
Verified on:

ipa-server-4.5.0-14.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch

console logs attached...
Comment 7 Michal Reznik 2017-06-07 12:29:43 UTC 
Created attachment 1285793 [details]
bz1444432
Comment 8 errata-xmlrpc 2017-08-01 09:48:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304