Bug 1588944

Summary: Cert validation for installation with external CA cert [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.6CC: edewata, ekeck, gkapoor, mharmsen
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.1-13.1.el7_5 Doc Type: Bug Fix
Doc Text:
The *pkispawn* utility now validates the path to external CA certificates during installation Previously, during the installation of Certificate System using an external certificate authority certificate, the *pkispawn* utility did not validate the path to the certificate. If the path was incorrect, the following error was logged in the CA's debug log: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. With this update, *pkispawn* validates the path to the certificate. As a result, *pkispawn* now reports a meaningful error message.
 Story Points: ---
Clone Of: 1588655 Environment:
Last Closed: 2018-06-26 16:47:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1588655    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-06-08 07:28:24 UTC 
This bug has been copied from bug #1588655 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 2 Matthew Harmsen 2018-06-08 15:49:29 UTC 
Endi Sukma Dewata 2018-06-07 12:52:42 EDT

The fix is already available in 10.5 branch:
https://github.com/dogtagpki/pki/commit/313c701957bedfd59f7f6368d0c37d2928d1a4a1
Comment 5 Geetika Kapoor 2018-06-13 17:26:58 UTC 
Test Env:
=======


rpm -qa pki-*
pki-symkey-10.5.1-13.1.el7_5.x86_64
pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64
pki-base-10.5.1-13.1.el7_5.noarch
pki-console-10.5.1-5.el7pki.noarch
pki-server-10.5.1-13.1.el7_5.noarch
pki-tps-10.5.1-12.el7pki.x86_64
pki-kra-10.5.1-13.1.el7_5.noarch
pki-tools-10.5.1-13.1.el7_5.x86_64
pki-tks-10.5.1-12.el7pki.noarch
pki-javadoc-10.5.1-13.1.el7_5.noarch
pki-base-java-10.5.1-13.1.el7_5.noarch
pki-usgov-dod-cacerts-0.0.6-4.el7.noarch
pki-ca-10.5.1-13.1.el7_5.noarch
pki-ocsp-10.5.1-12.el7pki.noarch


Test Steps:
==========

1. perform 2 step external CA installation procedure and make sure it works .
2. With any failures in csr, certificate (ca_signing or external certificate) correct error message is logged.
Comment 7 errata-xmlrpc 2018-06-26 16:47:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979