Bug 1760365

Summary:

Clone CA Server Cert not replicating complete inserted SAN in its server certificate

Product:

Red Hat Enterprise Linux 8

Reporter:

Pritam Singh <prisingh>

Component:

pki-core

Assignee:

RHCS Maintainers <rhcs-maint>

Status:

CLOSED UPSTREAM

QA Contact:

PKI QE <bugzilla-pkiqe>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

8.2

CC:

ascheel, mharmsen

Target Milestone:

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2020-03-15 19:44:45 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
rootCA_debug_log	none
rootCA_caInternalAuthServerCert_profile	none
rootCA_rsaServerCert_profile	none
rootCA_servercert_with_SAN_extension	none
cloneCA_servercert_with_4_SAN	none

Description Pritam Singh 2019-10-10 11:51:28 UTC

Created attachment 1624294 [details]
rootCA_debug_log

Description of problem:
Clone CA Server Cert not reflecting complete inserted SAN in its server cert which is clone of RootCA has 5 SAN in server certificate and only showing 4 SAN in clone ssl server certificate.

Version-Release number of selected component (if applicable):
pki-ca-10.5.16-5.el7_7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Make SAN changes in /usr/share/pki/ca/conf/rsaServerCert.profile
1.1 Add 8 in list=2,4,5,6,7,8
1.2 Add below SAN params in 8th Section:

8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault
8.default.name=Subject Alternative Name Defaults
8.default.params.subjAltNameExtCritical=true
8.default.params.subjAltNameNumGNs=5
8.default.params.subjAltExtGNEnable_0=true
8.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
8.default.params.subjAltExtType_0=DNSName
8.default.params.subjAltExtGNEnable_1=true
8.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
8.default.params.subjAltExtType_1=DNSName
8.default.params.subjAltExtGNEnable_2=true
8.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
8.default.params.subjAltExtType_2=DNSName
8.default.params.subjAltExtGNEnable_3=true
8.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$
8.default.params.subjAltExtType_3=DNSName
8.default.params.subjAltExtGNEnable_4=true
8.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$
8.default.params.subjAltExtType_4=DNSName

2. Make changes in /usr/share/pki/ca/profiles/ca/caInternalAuthServerCert.cfg
2.1 input.list=i1,i2,i3
2.2 policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9
2.3 Add below SAN params in 9th section:

policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_3=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$
policyset.serverCertSet.9.default.params.subjAltExtType_3=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_4=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$
policyset.serverCertSet.9.default.params.subjAltExtType_4=DNSName
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=5

3.Install RootCA with SAN
# cat ca.cfg
[DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080

pki_token_password = SECret.123
pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA

pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = SECret.123
pki_security_domain_https_port=20443
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = 389
pki_san_inject=True
pki_san_for_server_cert=pki1.example.com,redacted_serverb,redacted_serverb.domain,redacted_servera,redacted_servera.domain
pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa
pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

# pkispawn -s CA -f ca.cfg -vv

4. Installation should be successful with SAN extension in RootCA ssl server cert.

# certutil -L -d /var/lib/pki/topology-02-CA/alias/ -n "Server-Cert cert-topology-02-CA"

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Fo
            obarmaster.org"
        Validity:
            Not Before: Wed Oct 09 12:54:37 2019
            Not After : Tue Sep 28 12:54:37 2021
        Subject: "CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarm
            aster.org"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    ba:30:7f:4a:fe:6a:88:f2:8b:90:76:f0:52:f7:07:04:
                    2b:b9:a7:4c:85:19:ae:8e:e2:9d:43:42:4b:6c:90:d9:
                    bc:8c:de:77:7b:95:e8:f3:e3:9b:38:35:42:ca:5c:b5:
                    ca:77:43:cc:1d:3b:b4:bc:ea:3a:9f:6f:56:0a:8d:a6:
                    8d:02:e8:61:8c:eb:ae:68:67:2b:41:14:be:2f:cb:00:
                    98:49:2b:e8:59:f0:4b:a2:d1:17:76:cf:d7:e7:d9:3d:
                    50:d8:8a:f1:e8:2b:d6:33:59:ef:5c:ce:5e:ed:ca:ba:
                    99:26:34:46:b5:e2:ea:ee:13:7f:b8:07:ea:f6:50:ca:
                    ee:f2:af:81:73:e1:52:32:cd:00:f8:c3:e5:20:31:0a:
                    4b:05:f6:9f:ad:75:7c:4a:68:e6:8f:f9:ec:71:9b:bb:
                    b7:90:94:e7:07:dd:96:3c:32:9d:cd:76:38:20:2f:df:
                    4c:f6:a8:33:f1:6f:fe:07:ed:f8:79:0e:31:83:40:25:
                    84:5a:97:84:39:85:5a:dd:38:36:2a:bc:f4:5f:be:34:
                    1b:49:aa:df:5b:55:c2:1e:00:e3:aa:e0:d8:7c:0e:6e:
                    41:72:57:32:5c:e1:a0:df:10:63:93:35:46:61:27:90:
                    5d:6f:9c:47:46:b4:e6:72:d5:66:c2:70:3c:8e:86:d5
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                82:d7:27:7c:3d:bf:57:71:57:9a:e1:b7:4f:2b:d4:64:
                28:aa:f2:79

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://pki1.example.com:20080/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate

            Name: Certificate Subject Alt Name
            Critical: True
            DNS name: "pki1.example.com"
            DNS name: "redacted_serverb"
            DNS name: "redacted_serverb.domain"
            DNS name: "redacted_servera"
            DNS name: "redacted_servera.domain"

5.Execute ca-clone-prepare and get p12 file then copy it to clone machine
# pki-server ca-clone-prepare -i topology-02-CA --pkcs12-file /tmp/caclone.p12 --pkcs12-password SECret.123
-----------------------------------------------------
Added certificate "subsystemCert cert-topology-02-CA"
-----------------------------------------------------
--------------------------------------------------------
Added certificate "caSigningCert cert-topology-02-CA CA"
--------------------------------------------------------
----------------------------------------------------------
Added certificate "ocspSigningCert cert-topology-02-CA CA"
----------------------------------------------------------
-----------------------------------------------------------
Added certificate "auditSigningCert cert-topology-02-CA CA"
-----------------------------------------------------------

6.Install clone with same SAN changes as in Master:
# cat clone.cfg
[DEFAULT]
pki_instance_name = topology-02-CA-clone
pki_https_port = 22080
pki_http_port = 22443

pki_token_password = SECret.123
pki_admin_password = SECret.123

pki_hostname = pki2.example.com
pki_security_domain_hostname = pki1.example.com
pki_security_domain_password = SECret.123
pki_security_domain_https_port = 20443
pki_security_domain_post_login_sleep_seconds=5
pki_security_domain_name=topology-02_Foobarmaster.org
pki_client_dir = /opt/topology-02-CA-clone
pki_client_pkcs12_password = SECret.123
pki_client_database_password = SECret.123

pki_ds_password = SECret.123
pki_ds_ldap_port = 3389
pki_san_inject=True
pki_san_for_server_cert=pki1.example.com,redacted_serverb,redacted_serverb.domain,
redacted_servera,redacted_servera.domain

[Tomcat]
pki_ajp_port = 22009
pki_tomcat_server_port = 22005

[CA]
pki_clone=True
pki_clone_pkcs12_password=SECret.123
pki_clone_pkcs12_path=/tmp/caclone.p12
pki_import_admin_cert = False
pki_admin_nickname= ca_clone
pki_ds_hostname = pki2.example.com
pki_ds_base_dn=o=topology-02-CA-CA
pki_ds_database=ca-clone

pki_clone_replication_master_port=389
pki_clone_replication_clone_port=3389
pki_clone_replicate_schema=True
pki_clone_uri=https://pki1.example.com:20443

pki_ca_signing_nickname=caSigningCert cert-topology-02-CA CA
pki_ocsp_signing_nickname=ocspSigningCert cert-topology-02-CA CA
pki_audit_signing_nickname=auditSigningCert cert-topology-02-CA CA
pki_subsystem_nickname=subsystemCert cert-topology-02-CA

# pkispawn -s CA -f clone.cfg -vv

7.Installation happend successfully with reflected SAN in its server cert.

[root@pki2 ~]# certutil -L -d /var/lib/pki/topology-02-CA-clone/alias/ -n "Server-Cert cert-topology-02-CA-clone"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Fo
            obarmaster.org"
        Validity:
            Not Before: Wed Oct 09 13:01:40 2019
            Not After : Tue Sep 28 13:01:40 2021
        Subject: "CN=pki2.example.com,OU=topology-02-CA-clone,O=topology-02_F
            oobarmaster.org"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d8:3c:67:43:a3:d9:a3:d2:94:a2:97:a1:2e:b2:4f:b0:
                    70:75:57:99:38:15:64:51:1f:54:1e:df:c1:96:ec:f9:
                    01:37:92:e7:69:28:09:44:e3:d2:22:69:d1:cd:36:d5:
                    90:70:e0:04:e3:ed:d8:32:43:ed:68:23:14:ca:5a:74:
                    ae:3d:67:95:12:4c:45:e8:e1:7e:85:71:ef:23:5c:34:
                    d1:4e:ce:4e:02:b4:63:c4:21:f4:b2:c0:16:cb:df:c7:
                    4e:fb:92:a1:6a:5f:d7:fc:39:86:0e:ff:97:5a:c7:65:
                    ce:90:a4:d2:39:12:54:b9:a4:6e:dd:95:dc:a9:79:10:
                    44:27:04:25:8a:33:f7:63:1c:ba:b1:9a:7d:0a:0b:62:
                    bf:17:aa:61:62:46:f6:b3:6a:b1:22:52:c9:3e:c9:88:
                    d1:97:23:9e:26:5e:d6:f4:f8:be:f9:24:c6:e7:f4:63:
                    a7:d8:46:79:6a:1a:3e:88:94:b6:f8:10:2e:c5:76:ef:
                    a4:d8:a8:74:15:90:81:7a:83:69:a6:66:a1:f8:85:36:
                    1b:05:bf:5f:d2:3c:a5:72:b1:22:51:eb:0f:f6:f9:ea:
                    7c:f4:eb:e0:9e:94:f3:21:62:a0:ea:e3:fe:3a:c6:63:
                    58:df:c6:46:80:05:0f:7c:ed:81:2e:0b:ed:4b:49:51
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                82:d7:27:7c:3d:bf:57:71:57:9a:e1:b7:4f:2b:d4:64:
                28:aa:f2:79

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://pki1.example.com:20080/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: Certificate Subject Alt Name
            DNS name: "pki1.example.com"
            DNS name: "redacted_serverb"
            DNS name: "redacted_serverb.domain"
            DNS name: "redacted_servera"

Actual results:

Seen that RootCA server cert has 5 DNS name entry in its SAN and cloning with SAN extension is successful but clone CA's SSL server certificate is issued with 4 DNS name entry in its SAN extension.

Expected results:
It should result in replication of 5 DNS name entry in clone CA server cert as per the injected SAN.

Proof of concept:
Please find the RootCA debug log and profiles config attached.

Additional info:

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1743122#c16

Comment 2 Pritam Singh 2019-10-10 11:53:05 UTC

Created attachment 1624295 [details]
rootCA_caInternalAuthServerCert_profile

Comment 3 Pritam Singh 2019-10-10 11:55:08 UTC

Created attachment 1624296 [details]
rootCA_rsaServerCert_profile

Comment 4 Pritam Singh 2019-10-10 11:55:53 UTC

Created attachment 1624297 [details]
rootCA_servercert_with_SAN_extension

Comment 5 Pritam Singh 2019-10-10 11:56:56 UTC

Created attachment 1624298 [details]
cloneCA_servercert_with_4_SAN