Bug 1534772
Summary: | org.mozilla.jss.pkix.primitive.AlgorithmIdentifier decode/encode process alters original data | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> | ||||
Component: | jss | Assignee: | Christina Fu <cfu> | ||||
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 7.5 | CC: | aakkiang, cfu, edewata, ekeck, elio.maldonado.batiz, extras-qa, jmagne, kwright, lmiksik, mharmsen, nkinder, rcritten, rmeggins, ssidhaye | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | jss-4.4.4-3.el7 | Doc Type: | Bug Fix | ||||
Doc Text: |
See Doc Text in BZ#1595759.
|
Story Points: | --- | ||||
Clone Of: | 1534771 | ||||||
: | 1595759 (view as bug list) | Environment: | |||||
Last Closed: | 2018-10-30 11:00:36 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1534771 | ||||||
Bug Blocks: | 1595759 | ||||||
Attachments: |
|
Description
Matthew Harmsen
2018-01-15 22:51:59 UTC
Created attachment 1454843 [details] patch to fix AlgorithmIdentifier properly This patch provide fix for this reported bug as well as https://bugzilla.redhat.com/show_bug.cgi?id=1575725, which in retrospect was mislead by the reported EC issue and came in the wrong angle. The fix in 1575725 is reverted and new fix provided. I think the patch fixes the following bug as well: https://bugzilla.redhat.com/show_bug.cgi?id=1591979 Comment on attachment 1454843 [details]
patch to fix AlgorithmIdentifier properly
Looks good.
commit 8fc2c37b3a7af8df7da0365c23f0553febb36905 (HEAD -> master, Ticket-12-AlgorithmIdEncodeDecode) Author: Christina Fu <cfu> Date: Tue Jun 26 17:59:28 2018 -0700 Ticket 12 AlgorithmIdentifier decode/encode process alters original data This patch provides fix to ensure that the encoding and decoding of an AlgorithmIdentifier structure would not alter the data. credit: original fix suggestion provided by david.k.stutzman2.ctr fixes https://pagure.io/jss/issue/12 *** Bug 1591979 has been marked as a duplicate of this bug. *** (In reply to Christina Fu from comment #5) > I think the patch fixes the following bug as well: > https://bugzilla.redhat.com/show_bug.cgi?id=1591979 actually no. I was looking at wrong file at that time. Build used for verification: root@csqa4-guest01 BZ1534772 # rpm -qi jss Name : jss Version : 4.4.4 Release : 3.el7 Architecture: x86_64 Install Date: Sun 12 Aug 2018 04:21:00 AM EDT Group : Unspecified Size : 1456493 License : MPLv1.1 or GPLv2+ or LGPLv2+ Signature : RSA/SHA256, Mon 16 Jul 2018 04:07:45 PM EDT, Key ID 199e2f91fd431d51 Source RPM : jss-4.4.4-3.el7.src.rpm Build Date : Mon 16 Jul 2018 03:48:21 PM EDT Build Host : x86-038.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.dogtagpki.org/wiki/JSS Summary : Java Security Services (JSS) Description : Java Security Services (JSS) is a java native interface which provides a bridge for java-based applications to use native Network Security Services (NSS). This only works with gcj. Other JREs require that JCE providers be signed. Verification procedure as mentioned in: https://bugzilla.redhat.com/show_bug.cgi?id=1547802#c2 CMC Enrollment Procedure (User Signed) PKCS10Client -d /tmp/nssdb/ -p SECret.123 -n "cn=foo bar, uid=foobar" -o pkcs10.req CMCRequest cmc-p10-user-signed.cfg HttpClient HttpClient-cmc-p10-user-signed.cfg CMCResponse -i cmc.pkcs10Resp root@csqa4-guest01 BZ1534772 # CMCResponse -d /tmp/nssdb/ -v -i cmc.pkcs10Resp -o cmc.p10-ec.resp.pem Cert:0 MIICbTCCAhOgAwIBAgIEBNyHeTAKBggqhkjOPQQDAjBeMRowGAYDVQQKDBFFeGFt cGxlLXJoY3M5NC1DQTEfMB0GA1UECwwWcmhjczk0LUNBLUVDQy1zc2lkaGF5ZTEf MB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODA4MTYwNjE4MzNa Fw0zODA4MTYwNjE4MzNaMF4xGjAYBgNVBAoMEUV4YW1wbGUtcmhjczk0LUNBMR8w HQYDVQQLDBZyaGNzOTQtQ0EtRUNDLXNzaWRoYXllMR8wHQYDVQQDDBZDQSBTaWdu aW5nIENlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsTM553I3 pCh9Jsh/TZ1fSe+lZ2eO1Lc3QTfjKhMNVp+xfeRex4nREJ5tx/JuWdCYc0Tbeu1E Q6Xpfe1zdWdAp6OBvjCBuzAfBgNVHSMEGDAWgBQmboy2M/xb3/utPTICRoOaHeIR VzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUJm6M tjP8W9/7rT0yAkaDmh3iEVcwWAYIKwYBBQUHAQEETDBKMEgGCCsGAQUFBzABhjxo dHRwOi8vY3NxYTQtZ3Vlc3QwMS5pZG0ubGFiLmVuZy5yZHUucmVkaGF0LmNvbTo4 MDgwL2NhL29jc3AwCgYIKoZIzj0EAwIDSAAwRQIhALwydUQtwemyD0nG16vfqC41 Iti2WkACJ43gbc/3V+uMAiB+xr5rsFoM0FsgRgC6jxbiOms6WtW/ZVCmsJYxrut4 mQ== === Cert:1 MIIC9zCCAp2gAwIBAgIEAcl7XzAKBggqhkjOPQQDAjBeMRowGAYDVQQKDBFFeGFt cGxlLXJoY3M5NC1DQTEfMB0GA1UECwwWcmhjczk0LUNBLUVDQy1zc2lkaGF5ZTEf MB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODA4MTYxMjEyMzRa Fw0xOTAyMTIxMzEyMzRaMC4xEjAQBgNVBAMMCVRlc3QgVXNlcjEYMBYGCgmSJomT 8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA sRyWm8NA0KnzAfbmUrs94nwp20EAVZO8x0R/zmwbMq31ymoMB6xt89RlbCQeqkko sflnKOdk4imelVdTh+JFtz9pd87aXzpI0F6O4w8IwzboAj6qPf6LMYTEpfm/FsdD ScX/IkUg0jkcVblUx5/mF8ycRZycu0ttRFYwEqbWvWQLkH1t6pPDNkk2JNQcC6VZ qBLGrTNCzQnPZ9sbtX8BHrBXnXiZFkuEeBd+HeLWMxq4Ne9xZWgR0tmAPB/XIZi9 hK0bzhm5STki7mrGtnwR/s1M+fAqOkfM1AWFuDlOH6gMbwjiaEOhObF13jY2RP8p xvl/vEFz4PpBJcsi9A2QsQIDAQABo4GtMIGqMB8GA1UdIwQYMBaAFCZujLYz/Fvf +609MgJGg5od4hFXMFgGCCsGAQUFBwEBBEwwSjBIBggrBgEFBQcwAYY8aHR0cDov L2NzcWE0LWd1ZXN0MDEuaWRtLmxhYi5lbmcucmR1LnJlZGhhdC5jb206ODA4MC9j YS9vY3NwMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB BQUHAwQwCgYIKoZIzj0EAwIDSAAwRQIhAORm+xRycQ055CGZeBHCRzP6crazkkk6 Lb9jnfj+M6sDAiAknGOkaYn8pxQfO4wfy8DO4YsWKEuTwQDByuhH/NxuNA== === Certificates: Certificate: Data: Version: v3 Serial Number: 0x4DC8779 Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2 Issuer: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA Validity: Not Before: Thursday, August 16, 2018 2:18:33 AM EDT America/New_York Not After: Monday, August 16, 2038 2:18:33 AM EDT America/New_York Subject: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA Subject Public Key Info: Algorithm: EC - 1.2.840.10045.2.1 Public Key: 04:B1:33:39:E7:72:37:A4:28:7D:26:C8:7F:4D:9D:5F: 49:EF:A5:67:67:8E:D4:B7:37:41:37:E3:2A:13:0D:56: 9F:B1:7D:E4:5E:C7:89:D1:10:9E:6D:C7:F2:6E:59:D0: 98:73:44:DB:7A:ED:44:43:A5:E9:7D:ED:73:75:67:40: A7 Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 26:6E:8C:B6:33:FC:5B:DF:FB:AD:3D:32:02:46:83:9A: 1D:E2:11:57 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 26:6E:8C:B6:33:FC:5B:DF:FB:AD:3D:32:02:46:83:9A: 1D:E2:11:57 Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:4A:30:48:06:08:2B:06:01:05:05:07:30:01:86:3C: 68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65: 73:74:30:31:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67: 2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A: 38:30:38:30:2F:63:61:2F:6F:63:73:70 Signature: Algorithm: SHA256withEC - 1.2.840.10045.4.3.2 Signature: 30:45:02:21:00:BC:32:75:44:2D:C1:E9:B2:0F:49:C6: D7:AB:DF:A8:2E:35:22:D8:B6:5A:40:02:27:8D:E0:6D: CF:F7:57:EB:8C:02:20:7E:C6:BE:6B:B0:5A:0C:D0:5B: 20:46:00:BA:8F:16:E2:3A:6B:3A:5A:D5:BF:65:50:A6: B0:96:31:AE:EB:78:99 FingerPrint MD2: 42:37:89:53:FE:FF:14:E4:16:85:E6:80:26:CB:D7:D5 MD5: 91:1E:26:90:70:3F:96:A7:C5:2F:26:50:90:B5:5B:11 SHA-1: 04:F4:84:C5:1C:C2:EA:12:BD:90:85:3D:4B:CD:1C:E8: AA:AB:8A:64 SHA-256: 83:C8:9B:85:D5:02:2B:9F:BE:4D:A1:45:61:C4:61:9D: C6:13:4F:43:6C:38:10:E8:4E:D5:9C:8A:2A:D0:9D:86 SHA-512: D4:D6:BC:81:40:37:F9:1F:AD:E0:BB:27:03:90:B4:55: 29:30:C2:FB:B8:7C:90:A8:27:AC:B6:37:5B:6B:8A:11: 0F:4F:C5:04:AB:C8:64:EC:6A:0A:62:06:C4:EA:FC:44: 69:C0:02:8F:0D:94:9B:9F:D1:5D:DD:5B:A4:96:7E:E3 Certificate: Data: Version: v3 Serial Number: 0x1C97B5F Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2 Issuer: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA Validity: Not Before: Thursday, August 16, 2018 8:12:34 AM EDT America/New_York Not After: Tuesday, February 12, 2019 8:12:34 AM EST America/New_York Subject: UID=testuser,CN=Test User Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : B1:1C:96:9B:C3:40:D0:A9:F3:01:F6:E6:52:BB:3D:E2: 7C:29:DB:41:00:55:93:BC:C7:44:7F:CE:6C:1B:32:AD: F5:CA:6A:0C:07:AC:6D:F3:D4:65:6C:24:1E:AA:49:28: B1:F9:67:28:E7:64:E2:29:9E:95:57:53:87:E2:45:B7: 3F:69:77:CE:DA:5F:3A:48:D0:5E:8E:E3:0F:08:C3:36: E8:02:3E:AA:3D:FE:8B:31:84:C4:A5:F9:BF:16:C7:43: 49:C5:FF:22:45:20:D2:39:1C:55:B9:54:C7:9F:E6:17: CC:9C:45:9C:9C:BB:4B:6D:44:56:30:12:A6:D6:BD:64: 0B:90:7D:6D:EA:93:C3:36:49:36:24:D4:1C:0B:A5:59: A8:12:C6:AD:33:42:CD:09:CF:67:DB:1B:B5:7F:01:1E: B0:57:9D:78:99:16:4B:84:78:17:7E:1D:E2:D6:33:1A: B8:35:EF:71:65:68:11:D2:D9:80:3C:1F:D7:21:98:BD: 84:AD:1B:CE:19:B9:49:39:22:EE:6A:C6:B6:7C:11:FE: CD:4C:F9:F0:2A:3A:47:CC:D4:05:85:B8:39:4E:1F:A8: 0C:6F:08:E2:68:43:A1:39:B1:75:DE:36:36:44:FF:29: C6:F9:7F:BC:41:73:E0:FA:41:25:CB:22:F4:0D:90:B1 Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 26:6E:8C:B6:33:FC:5B:DF:FB:AD:3D:32:02:46:83:9A: 1D:E2:11:57 Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:4A:30:48:06:08:2B:06:01:05:05:07:30:01:86:3C: 68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65: 73:74:30:31:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67: 2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A: 38:30:38:30:2F:63:61:2F:6F:63:73:70 Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key Encipherment Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.4 Signature: Algorithm: SHA256withEC - 1.2.840.10045.4.3.2 Signature: 30:45:02:21:00:E4:66:FB:14:72:71:0D:39:E4:21:99: 78:11:C2:47:33:FA:72:B6:B3:92:49:3A:2D:BF:63:9D: F8:FE:33:AB:03:02:20:24:9C:63:A4:69:89:FC:A7:14: 1F:3B:8C:1F:CB:C0:CE:E1:8B:16:28:4B:93:C1:00:C1: CA:E8:47:FC:DC:6E:34 FingerPrint MD2: 1B:BA:17:2C:69:D3:58:3A:DE:90:61:53:A1:84:07:BA MD5: 7B:1F:B3:C4:63:2E:68:BF:7B:05:CD:4C:38:B7:EA:07 SHA-1: 35:5C:CB:1B:F6:10:32:84:D5:17:0C:E7:E8:31:32:5B: 6A:68:B8:21 SHA-256: 79:43:32:92:C9:0F:7E:A8:8E:F5:2D:C4:64:02:61:7F: A4:5E:10:8F:65:4F:01:75:56:91:4E:8C:EE:8E:42:8C SHA-512: 1B:00:2C:D6:96:26:46:2F:8F:49:D4:69:B8:0B:2F:F3: 91:2C:0E:88:CC:AD:C9:58:BA:0D:34:02:E4:C7:9E:B6: E3:3A:A6:6E:0F:09:AD:D0:C7:EA:72:99:F5:05:7B:AB: 20:63:88:D0:8F:C3:2A:D5:0A:EE:0C:65:05:49:18:DB Number of controls is 1 Control #0: CMCStatusInfoV2 OID: {1 3 6 1 5 5 7 7 25} BodyList: 1 Status: SUCCESS CMC Full Response. PKCS#7 now stored in file: cmc.p10-ec.resp.pem Base 64 encoded certificate displayed in the UI -----BEGIN CERTIFICATE----- MIIC9zCCAp2gAwIBAgIEAcl7XzAKBggqhkjOPQQDAjBeMRowGAYDVQQKDBFFeGFt cGxlLXJoY3M5NC1DQTEfMB0GA1UECwwWcmhjczk0LUNBLUVDQy1zc2lkaGF5ZTEf MB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODA4MTYxMjEyMzRa Fw0xOTAyMTIxMzEyMzRaMC4xEjAQBgNVBAMMCVRlc3QgVXNlcjEYMBYGCgmSJomT 8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA sRyWm8NA0KnzAfbmUrs94nwp20EAVZO8x0R/zmwbMq31ymoMB6xt89RlbCQeqkko sflnKOdk4imelVdTh+JFtz9pd87aXzpI0F6O4w8IwzboAj6qPf6LMYTEpfm/FsdD ScX/IkUg0jkcVblUx5/mF8ycRZycu0ttRFYwEqbWvWQLkH1t6pPDNkk2JNQcC6VZ qBLGrTNCzQnPZ9sbtX8BHrBXnXiZFkuEeBd+HeLWMxq4Ne9xZWgR0tmAPB/XIZi9 hK0bzhm5STki7mrGtnwR/s1M+fAqOkfM1AWFuDlOH6gMbwjiaEOhObF13jY2RP8p xvl/vEFz4PpBJcsi9A2QsQIDAQABo4GtMIGqMB8GA1UdIwQYMBaAFCZujLYz/Fvf +609MgJGg5od4hFXMFgGCCsGAQUFBwEBBEwwSjBIBggrBgEFBQcwAYY8aHR0cDov L2NzcWE0LWd1ZXN0MDEuaWRtLmxhYi5lbmcucmR1LnJlZGhhdC5jb206ODA4MC9j YS9vY3NwMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB BQUHAwQwCgYIKoZIzj0EAwIDSAAwRQIhAORm+xRycQ055CGZeBHCRzP6crazkkk6 Lb9jnfj+M6sDAiAknGOkaYn8pxQfO4wfy8DO4YsWKEuTwQDByuhH/NxuNA== -----END CERTIFICATE----- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3188 |