Bug 1572057
| Summary: | pkI pkcs12 cli import export issues. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Amol K <akahat> |
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> |
| Status: | CLOSED UPSTREAM | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | ascheel, mharmsen |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-15 18:06:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Moved to RHEL 7.7. |
Description of problem: pki pkcs12 cli import and export issues. Version-Release number of selected component (if applicable): 10.5.1-11.el7 How reproducible: Always Steps to Reproduce: 1. pki pkcs12-export with --no-chain is exporting chain. ``` root@pki1 # pki -d /opt/pki/certdb/ -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 --no-chain --------------- Export complete --------------- root@pki1 # pki pkcs12-cert-find --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 --------------- 2 entries found --------------- Certificate ID: ad448d4a22ef1ea7ba074701a116bda6d34ef79f Serial Number: 0x6 Nickname: PKI CA Administrator for Example.Org Subject DN: CN=PKI Administrator,E=caadmin,OU=topology-02-CA,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: bb7f1fff70ac0648925bc1c12caf013e6f8b100a Serial Number: 0x1 Nickname: CA Subject DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org Trust Flags: CT,C,C Has Key: false ``` Here CA certificate is not expected. 2. If we import the above /tmp/all_certs.p12 file in to the database it will show no trusts to the CA certificate. ``` root@pki1 # certutil -L -d /tmp/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PKI CA Administrator for Example.Org u,u,u CA ``` 3. pkcs12-export with --no-key export keys to p12 file. ``` root@pki1 # pki -d /opt/pki/certdb -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 --no-key "PKI CA Administrator for Example.Org" --------------- Export complete --------------- root@pki1 # pki -d /tmp/nssdb -c Secret123 client-init --force ------------------ Client initialized ------------------ root@pki1 # pki -d /tmp/nssdb -c Secret123 client-cert-import --pkcs12 /tmp/all_cert.p12 --pkcs12-password Secret123 ---------------------------------------- Imported certificates from PKCS #12 file ---------------------------------------- root@pki1 # certutil -L -d /tmp/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PKI CA Administrator for Example.Org u,u,u CA ,, ``` It is exporting keys in p12 file. 4. It shows success message for invalid certs. ``` pki -d /opt/pki/certdb -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 "DJFLSDJFLSDKJFLDSKJF" --------------- Export complete --------------- ``` Actual results: 1. It exports CA certificate with --no-chain option. 2. It does not import the trust flags as per the pkcs12 file. 3. It exports private key with --no-key option. 4. It shows export complete message for invalid certificate nick. Expected results: 1. It should not export CA certificate with --no-chain opiton. 2. It should import trust flags as per the pkcs12 file. 3. It should not export private key with --no-key option. 4. It should throw an error for invalid certificate nick. Additional info: