Bug 1538311
| Summary: | Using a Netmask produces an odd entry in a certifcate | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Amy Farley <afarley> | |
| Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.4 | CC: | afarley, ftweedal, mharmsen, msauton, ssidhaye | |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.5.9-2.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, Certificate System insufficiently validated values set in iPAddressName fields. If an invalid value was set, the server incorrectly issued certificates that contained this value. With this update, Certificate System validates iPAddressName values in profile configurations according to the context, such as Subject Alternative Name (SAN) or name constraints extensions. As a result, the server no longer issues certificates with invalid iPAddressName values.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1553068 (view as bug list) | Environment: | ||
| Last Closed: | 2018-10-30 11:05:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1477664, 1553068 | |||
|
Comment 3
Matthew Harmsen
2018-01-26 19:30:42 UTC
Assigning this to myself. Will have patch for this early next week. Upstream ticket: https://pagure.io/dogtagpki/issue/2922 Gerrit review: https://review.gerrithub.io/#/c/398356/ Pushed to master: * 628ace0c9 IPAddressName: refactoring * ab401936d Check validity of Subject/Issuer Alt Names and Name Constraints * c8ca22a55 GeneralNameInterface: methods for checking name validity * 93d6af74e parseGeneralName: properly parse iPAddress GN with netmask * 67059fae6 IPAddressName: remove unused getLength method More commits, to fix issues discovered during QE, have been pushed to upstream master: - 2ea0bd67171145a2013181ee75f0223aee2ddced IPAddressName: fix toString method - 6ff2dfc3dcf3322653646ac7afcead9ab7b94080 Handle empty NameConstraints subtrees when reading extension New upstream commit on master branch: * df8198d64 (origin/master) IPAddressName: fix construction from String Moving to POST. QE Verification Procedure https://bugzilla.redhat.com/show_bug.cgi?id=1553068#c4 Build used for verification: root@csqa4-guest01 ~ # pki --version PKI Command-Line Interface 10.5.9-5.el7 Use the profile attached here: https://bugzilla.redhat.com/attachment.cgi?id=1451379 root@csqa4-guest01 ca # pki -d /tmp/nssdb -c SECret.123 client-cert-request "CN=localhost.com" --profile caServerCert ----------------------------- Submitted certificate request ----------------------------- Request ID: 41 Type: enrollment Request Status: pending Operation Result: success root@csqa4-guest01 ca # pki -d /tmp/nssdb -c SECret.123 -n "PKI CA Administrator for rhcs94-CA-ssidhaye" cert-request-review 41 --action approve ------------------------------- Approved certificate request 41 ------------------------------- Request ID: 41 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x88f368f root@csqa4-guest01 ca # pki -d /tmp/nssdb -c SECret.123 -n "PKI CA Administrator for rhcs94-CA-ssidhaye" cert-show 0x88f368f --pretty ----------------------- Certificate "0x88f368f" ----------------------- Serial Number: 0x88f368f Subject DN: CN=localhost.com Issuer DN: CN=CA Signing Certificate,OU=rhcs94-CA-ssidhaye,O=Example-rhcs94-CA Status: VALID Not Valid Before: Tue Aug 14 04:47:58 EDT 2018 Not Valid After: Mon Aug 03 04:47:58 EDT 2020 Certificate: Data: Version: v3 Serial Number: 0x88F368F Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13 Issuer: CN=CA Signing Certificate,OU=rhcs94-CA-ssidhaye,O=Example-rhcs94-CA Validity: Not Before: Tuesday, August 14, 2018 4:47:58 AM EDT America/New_York Not After: Monday, August 3, 2020 4:47:58 AM EDT America/New_York Subject: CN=localhost.com Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (1024 bits) : A9:84:4B:2C:F0:15:2C:CE:73:63:58:FC:68:7E:DD:A6: 9B:DA:EB:7E:9D:D8:23:14:71:F2:FD:2F:16:A4:91:C8: F6:E7:43:76:82:33:32:5F:14:1E:AC:DB:4D:81:C2:14: EB:93:55:D2:D8:4F:06:36:B2:5F:41:B4:FD:79:E1:F6: 86:1C:27:C8:5C:55:53:89:1D:81:31:0F:67:95:AE:00: 6E:C6:14:59:29:71:13:27:67:40:66:5F:8F:A3:5F:EF: FB:18:36:F3:27:21:E1:02:AE:C5:B5:17:5E:6A:09:21: 7B:B5:3C:6F:B0:C6:A8:B7:57:01:C0:AD:71:45:CE:6F Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 6E:18:79:2E:05:5B:BA:2E:91:5A:40:72:B2:3D:7D:F7: AA:15:ED:99 Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://csqa4-guest01.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Key Encipherment Data Encipherment Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.1 1.3.6.1.5.5.7.3.2 Identifier: Name Constraints - 2.5.29.30 Critical: yes GeneralSubtrees: Excluded: GeneralSubtree: [ GeneralName: IPAddress: 10.10.10.10,255.255.255.0 Minimum: 0 Maximum: undefined] GeneralSubtree: [ GeneralName: IPAddress: 10.10.10.10,255.255.255.0 Minimum: 0 Maximum: undefined] GeneralSubtree: [ GeneralName: IPAddress: dead:beef:0:0:0:0:0:1,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Minimum: 0 Maximum: undefined] GeneralSubtree: [ GeneralName: IPAddress: dead:beef:0:0:0:0:0:0,ffff:ffff:0:0:0:0:0:0 Minimum: 0 Maximum: undefined] Identifier: Subject Alternative Name - 2.5.29.17 Critical: yes Value: IPAddress: 10.10.10.10 DNSName: localhost.com Signature: Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13 Signature: 0D:5B:8E:2D:2A:FC:15:D3:13:24:FD:70:44:86:94:86: F6:4E:5C:16:E7:61:14:50:5B:25:FE:3C:26:73:9C:FA: 3D:E0:B0:BC:5C:15:B7:22:26:4E:EF:B5:EC:CC:C6:7C: 7D:9A:0F:5E:52:6D:35:A2:19:93:93:50:10:D0:88:E0: D7:98:DC:6C:F7:24:EF:CC:1A:3B:D3:87:89:F1:25:0B: E5:B1:FE:98:2D:6A:7B:87:D0:C3:6D:EE:3F:58:52:7B: 5E:9D:F3:99:80:24:38:E5:47:88:B7:D7:44:16:23:0E: BF:8B:76:D0:F1:16:B0:DE:34:36:0C:E4:E3:CA:3B:32: 2D:FF:53:C8:8E:38:AA:DA:B9:58:28:83:69:F2:6E:B0: 40:83:57:11:45:2B:76:23:00:75:0C:41:36:3C:EF:27: 90:11:B2:DD:7F:CC:0C:C0:10:02:22:07:AA:82:35:57: 1C:F4:C5:A6:63:9A:48:46:7B:A9:C4:87:D4:50:AC:1F: D7:C0:E4:DA:81:AA:58:6C:A2:58:AF:D0:57:34:34:69: D1:9F:2A:BA:71:C2:42:9B:3B:18:A0:4C:E4:BD:4E:67: 6B:5E:53:0A:35:31:78:53:66:0C:AD:86:A7:68:0C:35: 9C:AB:FF:92:84:E7:45:8E:67:F0:A4:73:D4:CA:73:8A FingerPrint MD2: A4:CB:18:6B:5F:6F:7B:D1:15:73:62:14:D9:A5:F1:18 MD5: F8:ED:E1:70:06:FC:9A:C0:7E:A8:A0:C8:3A:D5:B4:92 SHA-1: 64:E0:B9:A2:3D:9B:45:C5:14:58:08:09:A7:12:DF:BB: 47:37:D8:BF SHA-256: 94:BC:82:68:CC:6C:92:FD:6F:5A:C0:F1:F1:46:02:D1: 94:AE:85:44:B0:DF:62:0D:55:02:2D:CA:DD:23:97:A4 SHA-512: 5D:D4:86:06:C4:A9:B8:00:C6:A6:7E:E6:29:1D:38:55: CA:3E:EB:57:EC:C3:72:86:90:83:D1:51:3E:ED:80:D3: A4:DD:47:68:A5:0B:9E:E0:FA:0C:7F:CF:0A:4D:04:36: DF:EB:E5:E7:1D:39:87:79:E5:2C:48:DE:6B:E4:4A:BC Then modify the profile, making one of these a plain IP address (no netmask, e.g. "10.10.10.10"). Issuance should fail (because netmask is required for Name Constraints extension). root@csqa4-guest01 ca # vim caServerCert.cfg root@csqa4-guest01 ca # root@csqa4-guest01 ca # systemctl start pki-tomcatd@rhcs94-CA-ssidhaye root@csqa4-guest01 ca # pki -d /tmp/nssdb -c SECret.123 client-cert-request "CN=localhost2.com" --profile caServerCert PKIException: Not valid for Name Constraints: 10.10.10.10 If a netmask is used issuance fails. root@csqa4-guest01 ca # pki -d /tmp/nssdb -c SECret.123 client-cert-request CN=localhost6.com --profile caServerCert PKIException: Not valid for Subject Alternative Name: IPAddress:10.10.10.10,255.255.255.0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3195 |