Bug 1518073
Summary: | ExternalCA : Failure with empty skid | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Geetika Kapoor <gkapoor> |
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> |
Status: | CLOSED NOTABUG | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.3 | CC: | ascheel, cfu, mharmsen |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-01-06 20:26:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Geetika Kapoor
2017-11-28 07:23:38 UTC
During the PKI Team Meeting of 20171130, it was determined that this issue would be move to RHEL 7.6. Moved to RHEL 7.7. Hi Geetika, Could you please explain what's the purpose of adding an empty SKI to a CA cert request? Thanks. Hi Christina, While testing this bugzilla , I have gone through this rfc : https://tools.ietf.org/html/rfc5280 This rfc talks about 2 cases: empty and non-empty for most of the extensions so while testing this , one of my test case was empty value and non-empty value. All i wanted to make sure is if we have empty skid, either it generates random by itself or throws a user friendly error. Here for SKI rfc says : this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (Section 4.2.1.9) where the value of cA is TRUE So , SKID is a MUST extension if CA=true. i was expecting a user friendly error if this kind of situation arises. Probability of this to happen is very less and almost negligible but as a tester i wanted to cover every test case. Thanks Geetika I am not aware of any allowance for empty SKI. My understanding is that you either have an SKI (for CA certs), or you don't (non-CA certs). I"m only aware of empty or non-empty references for the "Subject Name" of a certificate. I'm going to suggest closing this bug as not a bug. If there is any objection or issues arise at later time, it could be reopen. I agree with Christina's earlier assessment. Reading the RFC, it doesn't mention empty SKID values; the extensions should be elided if it is empty IMO. Notably, it appears OpenSSL does not handle empty SKID values either: https://github.com/openssl/openssl/issues/13603#issuecomment-738678435 |