Bug 1595759

Summary: org.mozilla.jss.pkix.primitive.AlgorithmIdentifier decode/encode process alters original data [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: jssAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.5CC: aakkiang, akahat, cfu, edewata, ekeck, elio.maldonado.batiz, extras-qa, jmagne, kwright, lmiksik, mharmsen, nkinder, rcritten, rmeggins
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jss-4.4.0-13.el7_5 Doc Type: Bug Fix
Doc Text:
Previously, due to a missing parameter check, encoding and decoding of an AlgorithmIdentifier object in the Java Security Services (JSS) was inconsistent. As a consequence, if JSS decoded an AlgorithmIdentifier object and encoded it again, JSS added in certain situations incorrectly a NULL parameter. This update detects if a parameter exists and no longer adds the NULL parameter. As a result, encoding and decoding AlgorithmIdentifier objects in JSS is consistent.
 Story Points: ---
Clone Of: 1534772 Environment:
Last Closed: 2018-08-16 14:19:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1534772    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-06-27 13:37:07 UTC 
This bug has been copied from bug #1534772 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 2 Christina Fu 2018-06-28 18:40:12 UTC 
commit 7c7a97f60c1b3400b921981a3cd9e9aae4f28987 (HEAD -> JSS_4_4_BRANCH, origin/JSS_4_4_BRANCH)
Author: Christina Fu <cfu>
Date:   Tue Jun 26 17:59:28 2018 -0700

    Ticket 12 AlgorithmIdentifier decode/encode process alters original data
    
    This patch provides fix to ensure that the encoding and decoding of an AlgorithmIdentifier
    structure would not alter the data.
    
    credit: original fix suggestion provided by david.k.stutzman2.ctr
    
    fixes https://pagure.io/jss/issue/12
Comment 3 Christina Fu 2018-06-28 18:45:45 UTC 
test procedure:

The same test procedure provided from the other bug should work for this one:
https://bugzilla.redhat.com/show_bug.cgi?id=1547802#c2
Comment 6 Amol K 2018-07-31 09:20:35 UTC 
I tested this Bugzilla on 10.5.1-14.el7_5 version.

I followed the steps which CFu mention in the comment #3 
(In reply to Christina Fu from comment #3)
> test procedure:
> 
> The same test procedure provided from the other bug should work for this one:
> https://bugzilla.redhat.com/show_bug.cgi?id=1547802#c2

After the dumpasn1 output, I'm not able to see NULL in 'OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)' block.

```
    <06 08 2A 86 48 CE 3D 04 03 02>
 18   8: . . . OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
       : . . . . (ANSI X9.62 ECDSA algorithm with SHA256)
       : . . . }

```

Verifying this bug.
Comment 8 errata-xmlrpc 2018-08-16 14:19:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2453