Bug 1579202

Summary: JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: jssAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.6CC: cfu, gkapoor, jmagne, mharmsen, msauton
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jss-4.4.0-12.el7_5 Doc Type: Bug Fix
Doc Text:
Previously, the ECDSA with SHA* signature Algorithm ID in Java Security Services (JSS) allowed for NULL parameter. As a consequence, the certificates did not conform with RFC 5758. The problem has been fixed. As a result, JSS works as expected.
 Story Points: ---
Clone Of: 1575725 Environment:
Last Closed: 2018-06-26 16:52:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1575725    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-05-17 07:20:12 UTC 
This bug has been copied from bug #1575725 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 2 Matthew Harmsen 2018-05-21 18:18:01 UTC 
commit a8e371e54b009159e9e3a0d198bd5eb3ed68ac22 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu>
Date:   Tue May 15 14:58:07 2018 -0700

    Ticket 3 JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier
    This ticket addresses the issue to meet RFC 5758 where param field must be omitted
    in the ECDSA Signature algorithm' AlgorithmIdentifier for
    ecdsa-withSHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512.
    
    fixes https://pagure.io/jss/issue/3
Comment 3 Matthew Harmsen 2018-05-21 20:31:38 UTC 
Christina Fu 2018-05-15 18:51:47 EDT

Test procedure:
Note, this could be tested with https://bugzilla.redhat.com/show_bug.cgi?id=1547802
No need to test it twice.

Se see the following for test procedure:
https://bugzilla.redhat.com/show_bug.cgi?id=1547802#c2
Comment 5 Geetika Kapoor 2018-06-15 08:47:24 UTC 
Hi Christina,

We have recently moved BZ https://bugzilla.redhat.com/show_bug.cgi?id=1581382 for review and investigation.Since this bug depends on BZ 1581382,  what should I do with this Bugzilla?

Thanks,
Geetika
Comment 6 Christina Fu 2018-06-15 22:53:42 UTC 
change of plan:
https://bugzilla.redhat.com/show_bug.cgi?id=1581382#c13
Comment 7 Asha Akkiangady 2018-06-15 23:15:55 UTC 
Marking the bug verified as per comment #6.
Comment 9 Christina Fu 2018-06-21 23:29:26 UTC 
Marc, in response to your email...
"allows for NULL parameter" has to do with the data structure of the AlgorithmID.

I don't think it means anything to most people.  Maybe it's too much detail to even try to add doc text for such low level routine.
I suggest we just leave the doc text as is. 
btw, I just noticed one copy/paste error earlier when I switch words around.  I have corrected it.
Comment 11 errata-xmlrpc 2018-06-26 16:52:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1989