Bug 1653863
| Summary: | CC: tools supporting CMC requests output keyID needs to be captured in file | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Christina Fu <cfu> | |
| Component: | pki-core | Assignee: | Christina Fu <cfu> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.7 | CC: | gkapoor, mharmsen, msauton, sumenon | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.5.16-2.el7 | Doc Type: | No Doc Update | |
| Doc Text: |
Previously addressed in "https://bugzilla.redhat.com/show_bug.cgi?id=1655951 - CC: tools supporting CMC requests output keyID needs to be captured in file [rhel-7.6.z]"
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1655951 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:07:19 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1655951 | |||
|
Description
Christina Fu
2018-11-27 19:03:46 UTC
commit c75543ab71458fa60dbb2c2da1ce063243eac8c5 (HEAD -> master, ladycfu/bug1653863-CMC-tools-keyID-master, bug1653863-CMC-tools-keyID-master) Author: Christina Fu <cfu> Date: Fri Nov 9 11:06:57 2018 -0800 bug 1653863 tools supporting CMC requests output keyID needs to be captured in file This patch adds code in both CRMFPopClient and PKCS10Client to automatically write the private key id into a file named <output>.keyId so that they can be featched later for CMCRequest <output>is the name of the file specified with the "-o" option. This patch also changed all references from "CMC self-test" to "CMC shared secret" instead. A test feature is also added to CMCRequest. fixes https://bugzilla.redhat.com/show_bug.cgi?id=1653863 Change-Id: Iaf2772be54f9937da456655cdec688f13f6e8b71 DOGTAG_10_5_BRANCH:
commit cb99e112b9421f6fe98b4ac5ab5885c28ee958c3
Author: Christina Fu <cfu>
Date: Fri Nov 9 11:06:57 2018 -0800
bug 1653863 tools supporting CMC requests output keyID needs to be captured
This patch adds code in both CRMFPopClient and PKCS10Client to automatically
write the private key id into a file named <output>.keyId so that
they can be featched later for CMCRequest
<output>is the name of the file specified with the "-o" option.
This patch also changed all references from "CMC self-test" to
"CMC shared secret" instead.
A test feature is also added to CMCRequest.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1655951
Change-Id: Iaf2772be54f9937da456655cdec688f13f6e8b71
Testing procedure documented here: * https://bugzilla.redhat.com/show_bug.cgi?id=1655951#c3 - CC: tools supporting CMC requests output keyID needs to be captured in file [rhel-7.6.z] *** Bug 1588599 has been marked as a duplicate of this bug. *** Verified on RHEL7.7 using
[root@pki1 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.7 Beta (Maipo)
389-ds-base-1.3.9.1-8.el7.x86_64
pki-ca-10.5.16-2.el7.noarch
pki-kra-10.5.16-2.el7.noarch
[root@pki1 test]# CRMFPopClient -d . -p Secret123 -n "cn=Christina Fu, uid=user1a, ou=yesPOP" -q POP_SUCCESS -b kra.transport -a ec -v -o crmf.pop.req
Initializing security database: .
archival option enabled
Loading transport certificate
Parsing subject DN
RDN: OU=yesPOP
RDN: UID=user1a
RDN: CN=Christina Fu
Generating key pair
Keypair private key id: 6efe13c0b59b7af9281cefd4c88a151c0541490a
Using key wrap algorithm: AES KeyWrap/Padding
Creating certificate request
Creating signer
Creating POP
Creating CRMF request
Storing CRMF request into crmf.pop.req
Storing CRMF request key id into crmf.pop.req.keyId
[root@pki1 test]# cat crmf.pop.req.keyId
6efe13c0b59b7af9281cefd4c88a151c0541490a
==============================================================
[root@pki1 test]# PKCS10Client -d . -p Secret123 -a ec -c nistp256 -o p10-ec.req -n "CN=cfuEC"
PKCS10Client: Debug: got token.
PKCS10Client: Debug: thread token set.
PKCS10Client: token Internal Key Storage Token logged in...
PKCS10Client: key pair generated.
PKCS10Client: CertificationRequest created.
PKCS10Client: b64encode completes.
Keypair private key id: 2089a0b546ff967daee448881d649e2df594e759
-----BEGIN CERTIFICATE REQUEST-----
MIHKMHICAQAwEDEOMAwGA1UEAwwFY2Z1RUMwWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAATanJRNT/+luzczfsrUL8Xnq3QpkKRe9Odqhs+I4c/cJB2L09WdlPjSrAr2
SjR2d7AzrZgY4TgjT72wY43Y51ZYoAAwCgYIKoZIzj0EAwIDSAAwRQIgWH/FJfuz
ZNo0bw5ViDwgVqsgYamZ4rQsrlHwjwd1H3oCIQCWI+e7z8f4ej35vecPtBLADTJe
paw4ZLLr49/khfX9bQ==
-----END CERTIFICATE REQUEST-----
[root@pki1 test]# cat p10-ec.req.keyId
2089a0b546ff967daee448881d649e2df594e759
[root@pki1 ca]# date
Wed Jun 12 03:33:13 EDT 2019
[root@pki1 ca]# pwd
/var/lib/pki/topology-01-CA/ca/profiles/ca
[root@pki1 ca]# ls -l | grep Shared
-rw-rw----. 1 pkiuser pkiuser 5242 Mar 18 20:13 caECFullCMCSharedTokenCert.cfg
-rw-rw----. 1 pkiuser pkiuser 5231 Mar 18 20:13 caFullCMCSharedTokenCert.cfg
#man CMCRequest
request.useSharedSecret
true or false. If useSharedSecret is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the
nickname parameter will be ignored.
#man PKCS10Client
In addition: -y <true for adding SubjectKeyIdentifier extensionfor cmc Shared Secret requests; false otherwise; default false> To be used with 'request.useSharedSecret=true' when running CMCRequest.
caECFullCMCSharedTokenCert.cfg
caFullCMCSharedTokenCert.cfg
#policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2228 |