Bug 1588655

Summary: Cert validation for installation with external CA cert
Product: Red Hat Enterprise Linux 7 Reporter: Endi Sukma Dewata <edewata>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.6CC: edewata, ekeck, gkapoor, mharmsen
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-1.el7 Doc Type: No Doc Update
Doc Text:
See Doc Text field in BZ#1588944.
 Story Points: ---
Clone Of:
: 1588944 (view as bug list) Environment:
Last Closed: 2018-10-30 11:07:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1588944    

Description Endi Sukma Dewata 2018-06-07 16:52:42 UTC 
During installation with external CA cert, the cert is currently not properly validated, so an incorrect path might generate a misleading error message such as the following (see bug #1540924):

[01/Feb/2018:05:32:14][http-bio-29443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
        at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
        at
...

To simplify troubleshooting the problem the cert needs to be properly validated.

Steps to reproduce:

1. Run step 1 of installation with external CA cert (http://www.dogtagpki.org/wiki/Installing_CA_with_External_CA_Signing_Certificate)
2. Specify an invalid cert path such as pki_ca_signing_cert_path=wrong_path
3. Run step 2 of the installation

Actual result:

The installation failed with unrelated message:
Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.

Expected result:

The installation should fail with a more helpful message such as:
Invalid certificate path: pki_ca_signing_cert_path=wrong_path

The fix is already available in 10.5 branch:
https://github.com/dogtagpki/pki/commit/313c701957bedfd59f7f6368d0c37d2928d1a4a1
Comment 8 Matthew Harmsen 2018-06-26 01:54:26 UTC 
QE Test Verification

https://bugzilla.redhat.com/show_bug.cgi?id=1588944#c5
Comment 9 Geetika Kapoor 2018-08-16 12:39:43 UTC 
rpm -qa pki-ca
pki-ca-10.5.9-5.el7.noarch

Manually verified.Performed steps https://bugzilla.redhat.com/show_bug.cgi?id=1588944#c5
Comment 11 errata-xmlrpc 2018-10-30 11:07:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195