Bug 1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256
Summary: IPA admin cert is created with SHA1 signing algorithm, should be SHA256
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Matthew Harmsen
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 1024445
Blocks: 1024461 1061410
TreeView+ depends on / blocked
 
Reported: 2013-10-29 17:14 UTC by Ade Lee
Modified: 2015-05-12 11:09 UTC (History)
6 users (show)

Fixed In Version: pki-core-9.0.3-35.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 1024445
Environment:
Last Closed: 2014-10-14 07:36:37 UTC


Attachments (Terms of Use)
patch to fix (19.03 KB, patch)
2013-10-31 17:10 UTC, Ade Lee
no flags Details | Diff
Patch to create admin cert with SHA256 (used in build) (8.10 KB, patch)
2014-06-21 03:55 UTC, Matthew Harmsen
no flags Details | Diff
Patch to create admin cert with SHA256 (spec file used in build) (48.32 KB, text/plain)
2014-06-21 03:56 UTC, Matthew Harmsen
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1549 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2014-10-14 01:21:26 UTC

Comment 2 Ade Lee 2013-10-31 17:10:39 UTC
Created attachment 818000 [details]
patch to fix

This is the patch to fix this issue.  We will wait till the bug has been acked to apply it.

Comment 4 Matthew Harmsen 2014-06-21 03:55:55 UTC
Created attachment 910967 [details]
Patch to create admin cert with SHA256 (used in build)

This patch contains just the code changes present in the previous patch with the following exception:

In 'base/ca/shared/conf/CS.cfg.in', the following was changed from:

ca.profiles.defaultSigningAlgsAllowed==SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC

to:
ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC

Basically, the double '==' was replaced by a single '=', as I was concerned that this may be viewed as a part of the value string ('=SHA256withRSA' rather than 'SHA256withRSA').

Comment 5 Matthew Harmsen 2014-06-21 03:56:58 UTC
Created attachment 910968 [details]
Patch to create admin cert with SHA256 (spec file used in build)

Comment 6 Kaleem 2014-07-31 16:09:43 UTC
Verified

pki and ipa version
===================
[root@rhel66-master ~]# rpm -q pki-ca ipa-server
pki-ca-9.0.3-36.el6.noarch
ipa-server-3.0.0-42.el6.x86_64
[root@rhel66-master ~]# 

Snip from beaker automation 
===========================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Uninstall for next test
:: [   PASS   ] :: Uninstalling ipa server for next test (Expected 0, got 0)
:: [   PASS   ] :: Making sure that /etc/sssd/sssd.conf does not exist. BZ 819982 (Expected 2, got 2)
:: [   PASS   ] :: Installing IPA Server (Expected 0, got 0)
:: [   PASS   ] :: File '/etc/pki-ca/CS.cfg' should contain 'ca.signing.defaultSigningAlgorithm=SHA256withRSA' 
:: [   PASS   ] :: Running 'certutil -L -d /etc/pki/nssdb/ -n "ipa-ca-agent" > /tmp/bz1024462_output.xt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1024462_output.xt' should contain 'Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption' 
:: [   PASS   ] :: IPA admin cert is created with SHA256withRSA signing algo 
:: [   PASS   ] :: Running 'certutil -D -d /etc/pki/nssdb/ -n "ipa-ca-agent"' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 10m 33s
:: [   LOG    ] :: Assertions: 8 good, 0 bad
:: [   PASS   ] :: RESULT: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256

Comment 8 errata-xmlrpc 2014-10-14 07:36:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1549.html


Note You need to log in before you can comment on or make changes to this bug.