Bug 1584550

Summary: CRMFPopClient: unexpected behavior with -y option when values are specified
Product: Red Hat Enterprise Linux 8 Reporter: Geetika Kapoor <gkapoor>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: low Docs Contact:
Priority: low    
Version: 8.3CC: cfu, cpinjani, edewata, mharmsen, skhandel
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: cpinjani: needinfo-
pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8040020210114180044.d4d99205 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:25:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Geetika Kapoor 2018-05-31 07:56:49 UTC 
Description of problem:

CRMFPopClient help says :

  -y <true|false>              Add SubjectKeyIdentifier extension in case of self-signed CMC requests (default: false)
                               - true: enabled
                               - false: disabled


CRMFPopClient generates SKID for any value supplied to -y.
Even if -y is false, it generates the SKID.


Example:

Test Case 1:
------------
# CRMFPopClient -d /opt/pkitest/certdb -q POP_SUCCESS -p SECret.123 -o /tmp/cmc_request.csr -n CN=Testing,UID=TEsTinG,O=Test Certificate -y noskidneeded -h internal
Keypair private key id: 70ed4733417994b2a09c9244a365ef27b111de9f
CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension.
CryptoUtil: createKeyIdentifier: begins
Storing CRMF requrest into /tmp/cmc_request.csr


## Decode the csr and check for skid.

 378   29:         [9] {
 380   27:           SEQUENCE {
 382    3:             OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
 387   20:             OCTET STRING
         :               4C 21 2D F1 78 47 BA B1 B3 BF E6 EB 17 3B C2 25
         :               6D F4 D9 0D
         :             }
         :           }
         :         }


Test Case 2:
------------

# CRMFPopClient -d /opt/pkitest/certdb -q POP_SUCCESS -p SECret.123 -o /tmp/cmc_request.csr -n CN=Testing,UID=TEsTinG,O=Test Certificate -y false -h internal
Keypair private key id: 6e7fa47f78f81249b934a9b3c046307115acf9c9
CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension.
CryptoUtil: createKeyIdentifier: begins
Storing CRMF requrest into /tmp/cmc_request.csr

Version-Release number of selected component (if applicable):

10.5

How reproducible:

always
Steps to Reproduce:
1.send a CRMFPopClient request with -y option with a value != true.It can be false as well.
2.
3.

Actual results:


Expected results:

Based on CRMFPopClient help output.
1. It should not accept any other value other than true and false.
2. when -y is false then also it should not generate skid.

Additional info:
Comment 2 Matthew Harmsen 2018-07-04 00:41:52 UTC 
Moved to RHEL 7.7.
Comment 3 Christina Fu 2020-03-03 01:29:07 UTC 
I think this option has since been changed to the following
  -y <true|false>              Add SubjectKeyIdentifier extension in case of CMC SharedSecret requests (default: false); To be used with 'request.useSharedSecret=true' when running CMCRequest.
                               - true: enabled
                               - false: disabled

However, looking at the code of CRMFPopClient.java, it says:

        boolean use_shared_secret = cmd.hasOption("y");
That means it's not taking "true" or "false"; It's determined by the presence of "-y".
I think the Usage text error that needs to be fixed.
Comment 9 Alex Scheel 2021-01-07 16:33:38 UTC 
Pull request:
https://github.com/dogtagpki/pki/pull/3422
Comment 10 Alex Scheel 2021-01-11 17:18:46 UTC 
Checked in v10.10:

commit ef8ee5f9dd2db0458be5b6372dba05322aae3912
Author: Alexander Scheel <ascheel>
Date:   Thu Jan 7 11:31:26 2021 -0500

    Update usage for CRMFPopClient -y option
    
    Signed-off-by: Alexander Scheel <ascheel>


Checked in master:

commit d9025c13333ff4010f9ee850a3034349e03481f4
Author: Alexander Scheel <ascheel>
Date:   Thu Jan 7 11:31:26 2021 -0500

    Update usage for CRMFPopClient -y option
    
    Signed-off-by: Alexander Scheel <ascheel>
Comment 13 shalini 2021-01-20 08:07:40 UTC 
BZ verified on latests bits from RHCS repo (We did pre-verification from rhcs repo because the bits were not there in development compose and we do not want to delay Verification):
 pki-ca                            noarch  10.10.3-1.module+el8pki+9457+b4dcf7f7         RHEL8.4-CERTSYS    1.0 M
 pki-kra                           noarch  10.10.3-1.module+el8pki+9457+b4dcf7f7         RHEL8.4-CERTSYS    201 k
 pki-server                        noarch  10.10.3-1.module+el8pki+9457+b4dcf7f7


Successful pipeline : https://gitlab.cee.redhat.com/skhandel/pki-pytest-ansible/-/jobs/2776695

Marking the BZ verified-tested
Comment 20 errata-xmlrpc 2021-05-18 15:25:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1775