Bug 1580394

Summary: CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC
Product: Red Hat Enterprise Linux 7 Reporter: Geetika Kapoor <gkapoor>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.5CC: cfu, mharmsen, msauton
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---Flags: mmuehlfe: needinfo? (cfu)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-1.el7 Doc Type: Bug Fix
Doc Text:
CMC CRMF requests using ECC keys work correctly Previously, during verification, Certificate System encoded the ECC public key incorrectly in CMC Certificate Request Message Format (CRMF) requests. As a consequence, requesting an ECC certificate with Certificate Management over CMS (CMC) in CRMF failed. The problem has been fixed, and as a result, CMC CRMF requests using ECC keys work as expected.
Story Points: ---
Clone Of:
: 1585945 (view as bug list) Environment:
Last Closed: 2018-10-30 11:07:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1585945    

Description Geetika Kapoor 2018-05-21 12:17:25 UTC
Description of problem:

Test case 1: self-signed cases whenever cmc.cfg file has request.selfSign=true , and signing algorithm is EC( as in crmfpopclient cli we use -a ec) throws org.mozilla.jss.crypto.InvalidKeyFormatException. 

1.CRMFPopClient -d /root/help -p SECret.123 -n UID=testuser1self-Test1 -q POP_SUCCESS  -b /root/transport.pem -a ec -t false -y  -w "AES/CBC/PKCS5Padding" -o crmf2.req
2. Run CMCRequest file with request.selfSign=true.
3. Run HttpClient.Below are the debug logs

[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCUserSignedAuth: authenticate: signing key alg=EC
[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCUserSignedAuth: authenticate: org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding
[04/May/2018:07:25:41][http-bio-20443-exec-16]: SignedAuditLogger: event CMC_USER_SIGNED_REQUEST_SIG_VERIFY
[04/May/2018:07:25:41][http-bio-20443-exec-16]: ProfileSubmitCMCServlet: authenticate: org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding
[04/May/2018:07:25:41][http-bio-20443-exec-16]: SignedAuditLogger: event AUTH
[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCOutputTemplate: getContentInfo: begins
[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCOutputTemplate: getContentInfo:  - done
[04/May/2018:07:25:41][http-bio-20443-exec-16]: SignedAuditLogger: event CMC_RESPONSE_SENT
[04/May/2018:07:25:41][http-bio-20443-exec-16]: ProfileSubmitCMCServlet: authentication error org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding



Version-Release number of selected component (if applicable):

7.5 update 1

How reproducible:

always

Steps to Reproduce:
1.Install ECC RootCA.
2.Run CRMFPopClient -d /root/help -p SECret.123 -n UID=testuser1self-Test1 -q POP_SUCCESS  -b /root/transport.pem -a ec -t false -y  -w "AES/CBC/PKCS5Padding" -o crmf2.req
3. Make sure it's for self signed and -a is ec in crmfpopclient

Actual results:

Failures caused due to:

[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCUserSignedAuth: authenticate: org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding



Expected results:

Should work.

Additional info:

In Case we have signing algorithm as RSA in crmfpopclient,it works.
=====================================================

CRMFPopClient -d /root/help -p SECret.123 -n UID=testuser1self-Test1 -q POP_SUCCESS -b /root/transport.pem -y -w "AES/CBC/PKCS5Padding" -o crmf2.req

[04/May/2018:07:40:57][http-bio-20443-exec-17]: CMCUserSignedAuth: authenticate: signing key alg=RSA
[04/May/2018:07:40:57][http-bio-20443-exec-17]: CMCUserSignedAuth: authenticate: public key retrieved
[04/May/2018:07:40:57][http-bio-20443-exec-17]: CMCUserSignedAuth: verifySelfSignedCMC: begins

Comment 3 Christina Fu 2018-06-04 22:46:44 UTC
commit 33f532f435672e712c041e17ed8597bf96d30526 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu@redhat.com>
Date:   Mon Jun 4 11:03:20 2018 -0700

    Ticket 3028 additional error checking
    
    Change-Id: If660fabd21b9992416dd1d5463b6ffd68fa1bf43

commit bd9365250ac1f98505823d7d47476b5f814cfb58
Author: Christina Fu <cfu@redhat.com>
Date:   Mon Jun 4 10:53:12 2018 -0700

    Ticket 3028 CMC CRMF request results in InvalidKeyFormatException when signing algorithm is ECC
    
    This patch fixes the issue where in case of CRMF request with ECC keys the
    public key was encoded incorrectly previously.
    
    The fix was done in a way that RSA portion is unaffected.
    
    Fixes https://pagure.io/dogtagpki/issue/3028
    
    Change-Id: I3eb62638f2970dc7a9df37abb19015bd287b383d

Comment 8 Matthew Harmsen 2018-06-26 01:27:22 UTC
QE Test Verification:

https://bugzilla.redhat.com/show_bug.cgi?id=1585945#c3

Comment 9 Geetika Kapoor 2018-08-17 20:33:05 UTC
Test Env:

# rpm -qa pki-ca
pki-ca-10.5.9-5.el7.noarch


Test Case:

1. CRMFPopClient key archival works for self-signed(ECC).
2. CRMFPopClient key archival works for user-signed(ECC).

Comment 11 errata-xmlrpc 2018-10-30 11:07:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195