Bug 1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256
IPA admin cert is created with SHA1 signing algorithm, should be SHA256
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core (Show other bugs)
6.6
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Matthew Harmsen
Asha Akkiangady
:
Depends On: 1024445
Blocks: 1024461 1061410
  Show dependency treegraph
 
Reported: 2013-10-29 13:14 EDT by Ade Lee
Modified: 2015-05-12 07:09 EDT (History)
6 users (show)

See Also:
Fixed In Version: pki-core-9.0.3-35.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1024445
Environment:
Last Closed: 2014-10-14 03:36:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix (19.03 KB, patch)
2013-10-31 13:10 EDT, Ade Lee
no flags Details | Diff
Patch to create admin cert with SHA256 (used in build) (8.10 KB, patch)
2014-06-20 23:55 EDT, Matthew Harmsen
no flags Details | Diff
Patch to create admin cert with SHA256 (spec file used in build) (48.32 KB, text/plain)
2014-06-20 23:56 EDT, Matthew Harmsen
no flags Details

  None (edit)
Comment 2 Ade Lee 2013-10-31 13:10:39 EDT
Created attachment 818000 [details]
patch to fix

This is the patch to fix this issue.  We will wait till the bug has been acked to apply it.
Comment 4 Matthew Harmsen 2014-06-20 23:55:55 EDT
Created attachment 910967 [details]
Patch to create admin cert with SHA256 (used in build)

This patch contains just the code changes present in the previous patch with the following exception:

In 'base/ca/shared/conf/CS.cfg.in', the following was changed from:

ca.profiles.defaultSigningAlgsAllowed==SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC

to:
ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC

Basically, the double '==' was replaced by a single '=', as I was concerned that this may be viewed as a part of the value string ('=SHA256withRSA' rather than 'SHA256withRSA').
Comment 5 Matthew Harmsen 2014-06-20 23:56:58 EDT
Created attachment 910968 [details]
Patch to create admin cert with SHA256 (spec file used in build)
Comment 6 Kaleem 2014-07-31 12:09:43 EDT
Verified

pki and ipa version
===================
[root@rhel66-master ~]# rpm -q pki-ca ipa-server
pki-ca-9.0.3-36.el6.noarch
ipa-server-3.0.0-42.el6.x86_64
[root@rhel66-master ~]# 

Snip from beaker automation 
===========================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Uninstall for next test
:: [   PASS   ] :: Uninstalling ipa server for next test (Expected 0, got 0)
:: [   PASS   ] :: Making sure that /etc/sssd/sssd.conf does not exist. BZ 819982 (Expected 2, got 2)
:: [   PASS   ] :: Installing IPA Server (Expected 0, got 0)
:: [   PASS   ] :: File '/etc/pki-ca/CS.cfg' should contain 'ca.signing.defaultSigningAlgorithm=SHA256withRSA' 
:: [   PASS   ] :: Running 'certutil -L -d /etc/pki/nssdb/ -n "ipa-ca-agent" > /tmp/bz1024462_output.xt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1024462_output.xt' should contain 'Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption' 
:: [   PASS   ] :: IPA admin cert is created with SHA256withRSA signing algo 
:: [   PASS   ] :: Running 'certutil -D -d /etc/pki/nssdb/ -n "ipa-ca-agent"' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 10m 33s
:: [   LOG    ] :: Assertions: 8 good, 0 bad
:: [   PASS   ] :: RESULT: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256
Comment 8 errata-xmlrpc 2014-10-14 03:36:37 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1549.html

Note You need to log in before you can comment on or make changes to this bug.