1024462 – IPA admin cert is created with SHA1 signing algorithm, should be SHA256

Bug 1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256

Summary: IPA admin cert is created with SHA1 signing algorithm, should be SHA256

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:	1024445
Blocks:	1024461 1061410
TreeView+	depends on / blocked

Reported:	2013-10-29 17:14 UTC by Ade Lee
Modified:	2015-05-12 11:09 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pki-core-9.0.3-35.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1024445
Environment:
Last Closed:	2014-10-14 07:36:37 UTC

Attachments	(Terms of Use)
patch to fix (19.03 KB, patch) 2013-10-31 17:10 UTC, Ade Lee	no flags	Details \| Diff
Patch to create admin cert with SHA256 (used in build) (8.10 KB, patch) 2014-06-21 03:55 UTC, Matthew Harmsen	no flags	Details \| Diff
Patch to create admin cert with SHA256 (spec file used in build) (48.32 KB, text/plain) 2014-06-21 03:56 UTC, Matthew Harmsen	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1549	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2014-10-14 01:21:26 UTC

Comment 2 Ade Lee 2013-10-31 17:10:39 UTC

Created attachment 818000 [details]
patch to fix

This is the patch to fix this issue.  We will wait till the bug has been acked to apply it.

Comment 4 Matthew Harmsen 2014-06-21 03:55:55 UTC

Created attachment 910967 [details]
Patch to create admin cert with SHA256 (used in build)

This patch contains just the code changes present in the previous patch with the following exception:

In 'base/ca/shared/conf/CS.cfg.in', the following was changed from:

ca.profiles.defaultSigningAlgsAllowed==SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC

to:
ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,M
D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with
EC

Basically, the double '==' was replaced by a single '=', as I was concerned that this may be viewed as a part of the value string ('=SHA256withRSA' rather than 'SHA256withRSA').

Comment 5 Matthew Harmsen 2014-06-21 03:56:58 UTC

Created attachment 910968 [details]
Patch to create admin cert with SHA256 (spec file used in build)

Comment 6 Kaleem 2014-07-31 16:09:43 UTC

Verified

pki and ipa version
===================
[root@rhel66-master ~]# rpm -q pki-ca ipa-server
pki-ca-9.0.3-36.el6.noarch
ipa-server-3.0.0-42.el6.x86_64
[root@rhel66-master ~]# 

Snip from beaker automation 
===========================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Uninstall for next test
:: [   PASS   ] :: Uninstalling ipa server for next test (Expected 0, got 0)
:: [   PASS   ] :: Making sure that /etc/sssd/sssd.conf does not exist. BZ 819982 (Expected 2, got 2)
:: [   PASS   ] :: Installing IPA Server (Expected 0, got 0)
:: [   PASS   ] :: File '/etc/pki-ca/CS.cfg' should contain 'ca.signing.defaultSigningAlgorithm=SHA256withRSA' 
:: [   PASS   ] :: Running 'certutil -L -d /etc/pki/nssdb/ -n "ipa-ca-agent" > /tmp/bz1024462_output.xt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1024462_output.xt' should contain 'Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption' 
:: [   PASS   ] :: IPA admin cert is created with SHA256withRSA signing algo 
:: [   PASS   ] :: Running 'certutil -D -d /etc/pki/nssdb/ -n "ipa-ca-agent"' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 10m 33s
:: [   LOG    ] :: Assertions: 8 good, 0 bad
:: [   PASS   ] :: RESULT: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256

Comment 8 errata-xmlrpc 2014-10-14 07:36:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1549.html

Note You need to log in before you can comment on or make changes to this bug.