Bug 1553068
| Summary: | Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> | ||||||
| Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||||
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | ||||||
| Priority: | urgent | ||||||||
| Version: | 7.4 | CC: | afarley, ftweedal, mharmsen, msauton, ssidhaye | ||||||
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | pki-core-10.5.1-14.el7_5 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Previously, Certificate System insufficiently validated values set in iPAddressName fields. If an invalid value was set, the server incorrectly issued certificates that contained this value. With this update, Certificate System validates iPAddressName values in profile configurations according to the context, such as Subject Alternative Name (SAN) or name constraints extensions. As a result, the server no longer issues certificates with invalid iPAddressName values.
|
Story Points: | --- | ||||||
| Clone Of: | 1538311 | Environment: | |||||||
| Last Closed: | 2018-08-16 14:20:17 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1538311 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Oneata Mircea Teodor
2018-03-08 08:39:03 UTC
Pushed to `DOGTAG_10_5_BRANCH`: * f14d46f0a IPAddressName: refactoring * 180b76c98 Check validity of Subject/Issuer Alt Names and Name Constraints * 487097a4d GeneralNameInterface: methods for checking name validity * 58658a75a parseGeneralName: properly parse iPAddress GN with netmask * fca1cbda2 IPAddressName: remove unused getLength method Verification procedure: Configure a profile with the following snippet (change the index / prefixes as appropriate): policyset.serverCertSet.13.constraint.class_id=noConstraintImpl policyset.serverCertSet.13.constraint.name=No Constraint policyset.serverCertSet.13.default.class_id=nameConstraintsExtDefaultImpl policyset.serverCertSet.13.default.name=Name Constraints Extension Default policyset.serverCertSet.13.default.params.nameConstraintsCritical=true policyset.serverCertSet.13.default.params.nameConstraintsNumPermittedSubtrees=0 policyset.serverCertSet.13.default.params.nameConstraintsNumExcludedSubtrees=4 policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeEnable_0=true policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMaxValue_0= policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMinValue_0= policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameChoice_0=IPAddress policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameValue_0=10.10.10.10/24 policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeEnable_1=true policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMaxValue_1= policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMinValue_1= policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameChoice_1=IPAddress policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameValue_1=10.10.10.10,255.255.255.0 policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeEnable_2=true policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMaxValue_2= policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMinValue_2= policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameChoice_2=IPAddress policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameValue_2=dead:beef::1/128 policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeEnable_3=true policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMaxValue_3= policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMinValue_3= policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameChoice_3=IPAddress policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameValue_3=dead:beef::,ffff:ffff:: Make sure the index (`13' in the snippet above) is referenced in the policy set `list' config, e.g.: policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12,13 Now, when a certificate is issued using that profile, issuance should succeed. The configured values should appear in the Name Constraints extension. Then modify the profile, making one of these a plain IP address (no netmask, e.g. "10.10.10.10"). Issuance should fail (because netmask is required for Name Constraints extension). Similarly, configure a SubjectAltNameExtDefault configuration with IPAddress names. Only this time, ensure that plain IP address values (IPv4 or IPv6) are ACCEPTED, and values with netmask are REJECTED (netmask is prohibited in the Subject Alt Name extension). Hope this assists in verifying the ticket! add doc text Build used for verification: root@csqa4-guest01 ~ # rpm -qi pki-server Name : pki-server Version : 10.5.1 Release : 11.el7 Architecture: noarch Install Date: Wednesday 18 April 2018 01:47:36 AM EDT Group : System Environment/Base Size : 4839482 License : GPLv2 Signature : (none) Source RPM : pki-core-10.5.1-11.el7.src.rpm Build Date : Monday 09 April 2018 09:01:11 PM EDT Build Host : ppc-021.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Server Framework Description : After making modifications to profile mentioned in comment #4, certificate request succeeds but approval fails. I am attaching the profile configuration and CA debug log for reference. Hence marking bugzilla failedQA. Created attachment 1426995 [details]
caServerCert profile config
caServerCert profile config
Created attachment 1426996 [details]
CA debug log
CA debug log
I've got a reproducer. It looks like a pre-existing issue but I'll try and get a fix done soon because it's blocking QA. Gerrit review to fix more issues uncovered during QE: https://review.gerrithub.io/#/c/dogtagpki/pki/+/412715. More commits, to fix issues discovered during QE, have been pushed to upstream DOGTAG_10_5_BRANCH: - a796f490b4c8aeea228195dacc3843cabe56b3ac IPAddressName: fix toString method - adb1810ddbeb30014b9ad192118bbf7ee1efd595 Handle empty NameConstraints subtrees when reading extension Moving to POST. New gerrit reviews for fix: - master: https://review.gerrithub.io/c/dogtagpki/pki/+/415271 - DOGTAG_10_5_BRANCH: https://review.gerrithub.io/c/dogtagpki/pki/+/415273 New upstream commit on DOGTAG_10_5_BRANCH: * a85486cfc (origin/DOGTAG_10_5_BRANCH) IPAddressName: fix construction from String Moving to POST. Build used for verification: [root@wolverine ~]# pki --version PKI Command-Line Interface 10.5.1-14.el7_5 Followed steps mentioned in: https://bugzilla.redhat.com/show_bug.cgi?id=1553068#c4 Now, when a certificate is issued using that profile, issuance should succeed. The configured values should appear in the Name Constraints extension. Then modify the profile, making one of these a plain IP address (no netmask, e.g. "10.10.10.10"). Issuance should fail (because netmask is required for Name Constraints extension). Similarly, configure a SubjectAltNameExtDefault configuration with IPAddress names. Only this time, ensure that plain IP address values (IPv4 or IPv6) are ACCEPTED, and values with netmask are REJECTED (netmask is prohibited in the Subject Alt Name extension). Hope this assists in verifying the ticket! After adding the Name Constraints issuance succeeds and the configured values appear in the Name Constraints Extension: [root@wolverine ~]# pki cert-show 0xd --pretty ----------------- Certificate "0xd" ----------------- Serial Number: 0xd Subject DN: CN=localhost2.com Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain Status: VALID Not Valid Before: Thu Jul 19 00:18:22 EDT 2018 Not Valid After: Wed Jul 17 00:18:22 EDT 2024 Certificate: Data: Version: v3 Serial Number: 0xD Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain Validity: Not Before: Thursday, July 19, 2018 12:18:22 AM EDT America/New_York Not After: Wednesday, July 17, 2024 12:18:22 AM EDT America/New_York Subject: CN=localhost2.com Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (1024 bits) : B5:EF:B2:81:9A:EF:63:2E:28:62:21:0E:72:A1:EA:B3: 85:70:0D:DD:6E:2B:00:B7:A1:05:8A:41:86:91:E7:56: 0F:81:D5:49:07:7C:1B:F7:0C:47:EF:45:F9:AF:10:EF: 96:AB:E7:67:2F:7E:76:9F:58:D8:7D:C4:52:F5:0E:BC: BC:18:E4:FF:07:4E:D2:06:8B:67:BC:97:D8:F4:7A:1B: 55:2B:DC:F8:6C:BB:9D:C8:6F:61:0D:D6:DB:7E:FF:A4: 69:4F:9D:00:1B:24:29:6F:90:13:F2:3C:61:53:BF:56: 84:45:B7:57:D6:D5:59:F6:B1:1D:C1:33:E4:17:82:8B Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 4D:BE:72:BC:29:38:86:44:71:AD:3E:04:C2:C1:5F:F1: 5B:08:CF:3D Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 3A:30:98:F3:E6:33:F8:88:69:DA:9E:9A:AA:B9:25:51: 9E:6B:09:45 Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Key CertSign Crl Sign Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.1 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: 0 Identifier: Name Constraints - 2.5.29.30 Critical: yes GeneralSubtrees: Permitted: GeneralSubtree: [ GeneralName: IPAddress: 10.10.10.10,255.255.255.0 Minimum: 0 Maximum: undefined] Excluded: GeneralSubtree: [ GeneralName: IPAddress: dead:beef:0:0:0:0:0:1,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Minimum: 0 Maximum: undefined] GeneralSubtree: [ GeneralName: IPAddress: 10.10.10.10,255.255.255.0 Minimum: 0 Maximum: undefined] GeneralSubtree: [ GeneralName: IPAddress: dead:beef:0:0:0:0:0:0,ffff:ffff:0:0:0:0:0:0 Minimum: 0 Maximum: undefined] Identifier: CRL Distribution Points - 2.5.29.31 Critical: no Number of Points: 1 Point 0 Distribution Point: [URIName: http://localhost.crl] Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 96:E6:BB:F0:A3:35:D1:E7:03:2E:43:E2:5F:D6:2A:85: AA:15:82:90:39:96:AD:B4:33:66:EB:5C:37:11:AE:2D: 35:12:C2:87:07:9D:D2:81:75:BA:1F:49:8D:93:4C:C4: E9:3D:9A:E9:3A:C5:A0:B4:88:83:CB:AA:BE:D6:C5:38: 33:B9:91:26:47:62:10:52:8D:93:E2:E0:CB:50:8A:D3: 0D:E0:C9:70:69:A5:5C:8B:8D:18:FB:F9:55:1B:88:0F: 9A:E8:05:15:54:F1:BD:D7:AE:49:A9:E1:89:3B:A2:66: 6E:3D:00:36:56:D4:22:7B:54:40:7A:F9:80:A1:DB:9D: C1:6B:E6:80:71:3E:0D:B4:91:76:D9:FA:94:C8:AD:B4: 0B:50:99:CF:F1:CF:8F:6E:DB:31:B6:04:7C:AC:A0:9C: AC:81:6D:FE:13:4F:71:FB:F9:2C:4C:59:37:9C:28:DA: A3:76:0A:2E:F8:55:DE:6C:9C:56:D4:94:EB:80:1F:CD: BE:B3:04:F8:16:A9:A0:DF:40:A5:15:57:D1:E8:6A:34: E1:56:AE:7A:DA:F7:52:BB:C6:3C:54:15:3C:C9:BE:24: 46:6F:E7:83:08:60:C1:A3:B5:8F:E9:E3:9C:39:77:7A: 46:38:CF:89:22:02:5E:66:93:9A:8C:72:44:70:83:BF FingerPrint MD2: 30:34:1B:E2:D5:3D:C0:94:8C:72:14:09:4E:06:ED:C7 MD5: 2D:BB:A9:6F:8A:32:6F:55:40:86:58:E6:3D:EC:A9:E0 SHA-1: 6B:8F:C3:D7:A3:91:CD:58:35:FB:12:91:84:23:BE:2B: 84:15:E3:C9 SHA-256: 44:B2:1A:A9:3B:C8:A3:87:C6:2A:E3:28:AB:CF:AD:7E: 5D:F8:8F:2B:09:18:54:BF:7D:81:E6:26:36:4E:1F:26 SHA-512: 0B:05:1E:25:52:65:D1:8C:4D:AC:96:04:76:2D:BE:CF: 2A:50:10:97:12:9A:E4:6E:08:2A:0D:37:11:62:34:E6: A5:E1:F9:13:7C:FB:66:C5:AB:4E:A7:24:61:F5:0A:1A: 56:05:65:DF:09:30:AB:FD:CE:7B:B1:B9:0E:F1:E6:9D [root@wolverine ~]# and after Subject Alt Name extension, issuance succeeds when using IPV4 / IPV6 and the configured values appear in the extension. [root@wolverine ~]# pki cert-show 0x10 --pretty ------------------ Certificate "0x10" ------------------ Serial Number: 0x10 Subject DN: CN=localhost8.com Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain Status: VALID Not Valid Before: Thu Jul 19 00:39:05 EDT 2018 Not Valid After: Wed Jul 17 00:39:05 EDT 2024 Certificate: Data: Version: v3 Serial Number: 0x10 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain Validity: Not Before: Thursday, July 19, 2018 12:39:05 AM EDT America/New_York Not After: Wednesday, July 17, 2024 12:39:05 AM EDT America/New_York Subject: CN=localhost8.com Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (1024 bits) : B9:6B:7B:68:D5:9B:05:77:3F:C0:D1:B5:44:37:34:28: F7:24:C7:3A:D3:F0:11:28:F9:5C:38:E7:40:72:62:78: 36:3A:28:91:78:CE:6E:3C:45:C0:B9:BB:22:61:53:20: AE:F3:A7:AC:7D:8B:1E:CD:9D:5E:7A:D8:F3:BD:6F:02: E9:2B:47:9A:09:DB:E9:6B:4C:6A:29:75:9A:BE:CC:B9: 8B:F6:F1:84:16:CC:AA:9F:17:83:D7:E0:D2:F1:89:E9: 7B:34:D6:A5:D0:E3:26:6C:32:79:6E:18:7F:4C:86:3D: 44:E0:B3:5D:F3:49:1F:47:9A:C6:FE:7C:AA:86:95:F7 Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 4D:BE:72:BC:29:38:86:44:71:AD:3E:04:C2:C1:5F:F1: 5B:08:CF:3D Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 3F:C4:45:A5:F6:D4:C3:22:FE:43:9E:5B:BF:97:5A:59: 9F:B5:DC:96 Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Key CertSign Crl Sign Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.1 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: 0 Identifier: Name Constraints - 2.5.29.30 Critical: yes GeneralSubtrees: Permitted: GeneralSubtree: [ GeneralName: IPAddress: 10.10.10.10,255.255.255.0 Minimum: 0 Maximum: undefined] Excluded: GeneralSubtree: [ GeneralName: IPAddress: dead:beef:0:0:0:0:0:1,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Minimum: 0 Maximum: undefined] GeneralSubtree: [ GeneralName: IPAddress: 10.10.10.10,255.255.255.0 Minimum: 0 Maximum: undefined] GeneralSubtree: [ GeneralName: IPAddress: dead:beef:0:0:0:0:0:0,ffff:ffff:0:0:0:0:0:0 Minimum: 0 Maximum: undefined] Identifier: CRL Distribution Points - 2.5.29.31 Critical: no Number of Points: 1 Point 0 Distribution Point: [URIName: http://localhost.crl] Identifier: Subject Alternative Name - 2.5.29.17 Critical: yes Value: IPAddress: dead:beef:0:0:0:0:0:0 Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 31:C7:26:12:47:04:28:FC:86:08:EF:65:11:A2:9C:25: 95:C4:DF:65:B7:63:58:05:B5:C2:17:25:6D:6C:15:1C: A8:0C:70:1A:5D:3A:BC:3B:67:38:74:37:48:12:87:A5: FE:8B:7B:9D:6D:98:1D:E4:69:C3:83:B0:70:5E:10:7C: EE:AD:47:14:C4:70:46:E8:F1:9E:AD:D5:13:68:F3:92: B4:5C:5D:EE:B2:36:BC:06:14:3C:80:3E:D6:86:0B:25: 1C:7D:B3:DE:75:12:23:D2:F1:D8:68:31:34:30:66:5E: 42:42:4C:9D:CC:E7:36:7F:37:4A:61:2C:0E:37:5C:16: 48:F0:5A:22:7D:CD:E8:7D:CF:51:5F:7A:64:FB:75:04: 10:49:93:F6:1B:25:91:50:AE:9A:9A:BE:DB:C7:CA:B5: 5D:39:49:69:05:9A:10:D8:C2:B6:8D:F8:4A:BF:58:8C: 75:42:25:49:6F:D6:77:60:6D:BA:E0:A9:C3:F8:10:55: DF:76:80:29:78:1F:D0:0B:3D:7F:83:6A:B3:EA:4B:CE: 3B:70:0D:21:04:60:F5:32:99:02:70:AF:51:1C:7E:25: 00:49:15:D1:45:BD:4A:24:53:9F:41:C3:DC:C0:58:DC: 40:45:5B:31:D8:D8:E1:BB:F9:A1:50:3B:5D:6D:3E:D9 FingerPrint MD2: 3D:2C:CD:26:0C:31:16:44:A6:0F:DB:29:A7:86:9F:BB MD5: 38:1C:F9:DD:4F:2C:C5:BC:CD:11:8B:1A:66:50:F7:C7 SHA-1: 1E:2D:22:72:87:3E:4C:9C:57:6B:75:FD:27:7C:08:C4: D8:D9:D3:C2 SHA-256: 60:78:78:D0:9E:59:9F:D0:A8:8E:2F:48:21:0F:33:40: D1:BB:F7:EF:5F:91:E9:00:EC:87:41:9F:46:29:FB:2D SHA-512: 5F:5D:0D:52:BA:CA:27:7D:7F:67:E0:B7:0F:4E:12:74: 8B:BA:C1:DB:41:C9:04:12:30:15:29:B9:63:96:26:A6: A9:87:0D:D6:3A:D1:11:9F:87:BD:85:9E:01:E0:11:59: AA:6E:07:77:64:5E:C5:38:D7:B8:81:A2:C7:99:37:EC If a netmask is used issuance fails. [root@wolverine ~]# pki -d /tmp/nssdb -c SECret.123 client-cert-request CN=localhost6.com --profile caServerCert PKIException: Not valid for Subject Alternative Name: IPAddress:10.10.10.10,255.255.255.0 [root@wolverine ~]# pki -d /tmp/nssdb -c SECret.123 client-cert-request CN=localhost7.com --profile caServerCert PKIException: Not valid for Subject Alternative Name: IPAddress:dead:beef::1/128 Fraser, I just need a confirmation whether a value "dead:beef::1/128" should be accepted in Subject Alternative Name extension. Rest looks good. Sumedh, thanks for the info. dead:beef::1/128 specifies IP address with CIDR netmask (/128), so this value should be _rejected_ for SAN and _accepted_ for Name Constraints. So the behaviour detailed above seems correct to me. HTH, Fraser As per verification in #c31, marking the bugzilla verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2306 |