Bug 701270

Summary: certutil fails while trying to generate a self signed cert
Product: Red Hat Enterprise Linux 6 Reporter: IBM Bug Proxy <bugproxy>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: amarecek, eparis, hannsj_uhl, rrelyea, sforsber
Target Milestone: rc   
Target Release: ---   
Hardware: s390x   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-08 09:42:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 855142    
Attachments:
Description Flags
PKCS#11 trace of teh certutil -S step
none
PKCS#11 trace of the certutil -R step
none
PKCS#11 trace of the certutil -C step none

Description IBM Bug Proxy 2011-05-02 11:50:42 UTC 
---Problem Description---

When trying to generate a self-signed certificate using certutil and opencryptoki, certutil returns
the error message:

certutil: unable to find issuer with nickname ibmtest:cacert: Certificate extension not found.

---uname output---
Linux r1745015 2.6.32-114.0.1.el6.s390x #1 SMP Thu Feb 10 15:33:32 EST 2011 s390x s390x s390x GNU/Linux
 
---Debugger Data---
na 
 
Machine Type = s390x lpar 
 
---Steps to Reproduce---
 1. mkdir ock_db

2. modutil -create -dbdir ock_db

3. modutil -add ock -libfile /usr/local/lib64/opencryptoki/libopencryptoki.so -mechanisms
"RSA:AES:SHA1:SHA256:SHA512:SSL:TLS:RANDOM" -dbdir ock_db

4. certutil -N -d ock_db

5. certutil -S -h ibmtest -d ock_db -n cacert -s "CN=KlausK Certificate Authority, O=IBM.COM, C=US"
-x -t CTu,CTu,CTu -g 1024 -m 1 -v 48 -2 -1 -5

At the prompts, enter:
5,9,n,y,10,y,5,6,7,9,n


6. certutil -R -h ibmtest -d ock_db -s "CN=r1745015.boeblingen.de.ibm.com, O=IBM, C=US" -o
ock_db/tempcertreq -g 1024

7. certutil -C -h ibmtest -d ock_db -c ibmtest:cacert -i ock_db/tempcertreq -o ock_db/tempcert.der
-m 3  -v 48 -1 -5

At the prompts, enter:
2,9,n,1,9,n

certutil: unable to find issuer with nickname ibmtest:cacert: Certificate extension not found.

 
---Other Component Data--- 
Userspace tool common name: certutil 
 
The userspace tool has the following bit modes: 64bit 

Userspace rpm: nss-tools-3.12.9-5.el6.s390x 

Userspace tool obtained from project website:  na 
 
NSS package versions:

[root@r1745015 68236]# rpm -qa |grep ^nss
nss-softokn-freebl-3.12.9-1.el6.s390
nss-3.12.9-5.el6.s390x
nss-util-debuginfo-3.12.9-1.el6.s390x
nss-softokn-3.12.9-3.el6.s390x
nss-util-devel-3.12.9-1.el6.s390x
nss-sysinit-3.12.9-5.el6.s390x
nss-tools-3.12.9-5.el6.s390x
nss-softokn-debuginfo-3.12.9-3.el6.s390x
nss-softokn-freebl-3.12.9-3.el6.s390x
nss-softokn-freebl-devel-3.12.9-3.el6.s390x
nss-util-3.12.9-1.el6.s390x
nss-devel-3.12.9-5.el6.s390x
nss-debuginfo-3.12.9-5.el6.s390x
nss-softokn-devel-3.12.9-3.el6.s390x


We're using opencryptoki-2.4, which is not yet released.
Comment 1 IBM Bug Proxy 2011-05-02 11:50:47 UTC 
Created attachment 496232 [details]
PKCS#11 trace of teh certutil -S step
Comment 2 IBM Bug Proxy 2011-05-02 11:50:51 UTC 
Created attachment 496233 [details]
PKCS#11 trace of the certutil -R step
Comment 3 IBM Bug Proxy 2011-05-02 11:50:54 UTC 
Created attachment 496234 [details]
PKCS#11 trace of the certutil -C step
Comment 5 RHEL Program Management 2011-05-03 06:00:29 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 6 Elio Maldonado Batiz 2011-05-04 16:44:13 UTC 
(In reply to comment #0)
I haven't been able to reprodice the problem yet because I am having problems with step 3. 
> 3. modutil -add ock -libfile /usr/local/lib64/opencryptoki/libopencryptoki.so
> -mechanisms
> "RSA:AES:SHA1:SHA256:SHA512:SSL:TLS:RANDOM" -dbdir ock_db
modutil is failing for me here and I'm trying to investigate why.

I do have some questions about step 5 and step 7.

> 5. certutil -S -h ibmtest -d ock_db -n cacert -s "CN=KlausK Certificate
> Authority, O=IBM.COM, C=US" -x -t CTu,CTu,CTu -g 1024 -m 1 -v 48 -2 -1 -5

I notice that you pass "-n cacert" for the nickname here but then on step 7
> 7. certutil -C -h ibmtest -d ock_db -c ibmtest:cacert -i ock_db/tempcertreq -o
> ock_db/tempcert.der
....

you pass "-c ibmtest:cacert". 

According to the documentation at
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
that value should be either "the exact nickname or alias of the CA certificate" or "the CA's email address". 

"ibmtest:cacert: != "cacert" (as used on step 5) nor is it the ca's email address.
Comment 10 IBM Bug Proxy 2013-10-21 12:55:01 UTC 
------- Comment From hannsj_uhl.com 2013-10-21 12:46 EDT-------
fyi .. IBM is not pursuing this bugzilla and therefore this bugzilla can be closed ...