RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1221295 - jss fails to decode EncryptedKey >> EnvelopedData
Summary: jss fails to decode EncryptedKey >> EnvelopedData
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jss
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 7.3
Assignee: Christina Fu
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-13 15:54 UTC by Joshua Roys
Modified: 2016-11-04 05:38 UTC (History)
4 users (show)

Fixed In Version: jss-4.2.6-41.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:38:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
fix EncryptedKey decode/encode (1.37 KB, patch)
2015-05-13 16:16 UTC, Joshua Roys 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2403 0 normal SHIPPED_LIVE jss bug fix update 2016-11-03 13:56:09 UTC

Description Joshua Roys 2015-05-13 15:54:36 UTC 
Description of problem:
Attempting to use the new EnvelopedData rather than the deprecated EncryptedValue of the PKIArchiveOptions.EncryptedKey structure fails to decode through JSS.

Version-Release number of selected component (if applicable):
jss-4.2.6-24.el6

How reproducible:
Send a CMC/CRMF blob containing a cert request and a PKIArchiveOptions control using the EnvelopedData field.

Actual results:
The request fails with an InvalidBERException; toStringNested() gives:
EXPLICIT >> EncryptedKey >> Implicit tag on ANY

Expected results:
Successful request parsing.

Additional info:
Examining jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ANY.java shows that all attempts to call decode(Tag implicitTag, InputStream istream) immediately throw an exception.
Modifying EncryptedKey.Template to wrap the second addElement's contents in an EXPLICIT.Template allow the functionality to work as expected.  The decode() code also needed to be modified accordingly (cast to EXPLICIT rather than ANY, etc).  This also matches every other occurrence of a new Tag followed by an ANY.getTemplate() in jss' decoding code.
I think the encode() methods will also need some work.
Comment 2 Joshua Roys 2015-05-13 16:16:35 UTC 
Created attachment 1025119 [details]
fix EncryptedKey decode/encode

This patch allows an EncryptedKey containing EnvelopedData to make it through Dogtag and to the KRA.
Comment 3 Matthew Harmsen 2015-06-08 18:33:00 UTC 
Per CS/DS meeting of 06/08/2015: Moved this bug to target RHEL 7.3
Comment 5 Matthew Harmsen 2016-01-07 02:18:57 UTC 
Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority medium
Comment 6 Christina Fu 2016-06-24 21:55:55 UTC 
Patch looks good.

This patch is actually the answer to the "need investigation in JSS" item I mentioned in:
https://bugzilla.redhat.com/show_bug.cgi?id=233394#c10
I did a JSS hack back then without investing much time in there.

I have tested the patch with the following:
1. the old Firefox which generates CRMF with the deprecated EncryptedValue (making sure it doesn't break)
2. use the CRMFOptClient tool (requires minor fix to work with newest src tree) I wrote back in https://bugzilla.redhat.com/show_bug.cgi?id=233394#c20 to generate CRMF request with new envelopedData

both work. The KRA code added to support the new envelopedData in https://bugzilla.redhat.com/show_bug.cgi?id=233394 works without need for change.

Should consider folding the new client code into CRMFPopClient and the cli.
Comment 7 Fedora Update System 2016-06-30 23:38:19 UTC 
jss-4.2.6-41.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-113d8c06f5
Comment 9 Fedora Update System 2016-07-02 20:30:41 UTC 
jss-4.2.6-41.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-113d8c06f5
Comment 10 Fedora Update System 2016-07-10 05:56:33 UTC 
jss-4.2.6-41.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Roshni 2016-08-15 15:32:26 UTC 
[root@auto-hv-02-guest02 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.3.3
Release     : 5.el7
Architecture: noarch
Install Date: Sun 14 Aug 2016 05:08:03 PM EDT
Group       : System Environment/Daemons
Size        : 2430595
License     : GPLv2
Signature   : RSA/SHA256, Thu 11 Aug 2016 02:01:10 AM EDT, Key ID 938a80caf21541eb
Source RPM  : pki-core-10.3.3-5.el7.src.rpm
Build Date  : Tue 09 Aug 2016 07:47:56 AM EDT
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

[root@auto-hv-02-guest02 ~]# rpm -qi jss
Name        : jss
Version     : 4.2.6
Release     : 42.el7
Architecture: x86_64
Install Date: Sun 14 Aug 2016 05:07:57 PM EDT
Group       : System Environment/Libraries
Size        : 986570
License     : MPLv1.1 or GPLv2+ or LGPLv2+
Signature   : RSA/SHA256, Wed 10 Aug 2016 06:59:28 AM EDT, Key ID 938a80caf21541eb
Source RPM  : jss-4.2.6-42.el7.src.rpm
Build Date  : Tue 09 Aug 2016 05:46:57 PM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.mozilla.org/projects/security/pki/jss/
Summary     : Java Security Services (JSS)

Verification steps:

1. [root@auto-hv-02-guest02 ~]# CRMFPopClient -d certsdb -p redhat  -o certsdb/encyption_cert_request.pem  -n "CN=Foo User6,OU=Foo_Example_IT,O=FooBar.Org,ST=North Carolina,L=Raleigh,C=US" -a rsa -l 2048 -u FooUser6 -r FooUser6 -b /root/kra-transport.txt 
Storing CRMF requrest into certsdb/encyption_cert_request.pem

[root@auto-hv-02-guest02 ~]# cat certsdb/encyption_cert_request.pem
-----BEGIN NEW CERTIFICATE REQUEST-----
MIII8zCCCO8wggfTAgEBMIIBp4ABAqV8MHoxCzAJBgNVBAYTAlVTMRAwDgYDVQQH
EwdSYWxlaWdoMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTETMBEGA1UEChMKRm9v
QmFyLk9yZzEXMBUGA1UECxQORm9vX0V4YW1wbGVfSVQxEjAQBgNVBAMTCUZvbyBV
c2VyNqaCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMickGPjzZHTO5CI
mvYqXbZ0QOOS374+Puv+YH9q/fzUHz06icknyxxvLxRHwjLbfmz8ktez1oNyxOqD
Du6reXqLWIxVDTHIT4ND7xn28JLZ3L+40pAcpYd/p6kViosEAPTMIlp4n5PqfmTW
Ta1uFnnz017p0c/pQGX2r4sHytsfsdR/hssADU4y6EQeDbO2To/42VHn/dYA9+xq
M9YjIQF2jXP1BXpX0LbSazPRISLiCBlk6Jg2p8RaFSnydxq0StIG8x7yc858SySB
im2G0SwwdwsejG6Q5tS0pDUNEyeKRDMauCgBN+oU7yOLGAmkBk1Najb+iNm2auW5
WNpeP6kCAwEAATCCBiEwggX7BgkrBgEFBQcFAQSgggXsMIIF6KEUBggqhkiG9w0D
BwQIAQEBAQEBAQGCggEBAI7fAsE52NkTYzweQsRvGE+uq4VEgwV4kccqLfPXlP9k
FEyelRpCzYJCSsaO6VLCvhz0OYkffgFC50PTJiNqaE63ESBabfcAPelGIlSzGa6y
dfSQBCZf5e/RcAv9wkeCO98lu6DFgPkgxn55ttcnIwH1yNVu/mlo/GUAJoCXeJQe
LuuIllxS+PV1w5Rh2vgRv/yCvtvqapqc4pMjzXnWjn29NJAS/kYaMZX8hb64UKKQ
Ww478BhuSQuS49FRAkmtvfUo8xwBzZI/HSH2hm/P9WE5i0t1aUF1lWEKAt+KDS0u
197zhz/BICqmK5GX2FAy0aZ1xwZcbbiuCT/60oyAYIwDggTJAOjM37Kj+V49PoOt
1HUBUtTdfkQ3UB92QNfxXt8o76uP+xRRKZjoCeyqu9kO35LauBLCo6cplo/yqmoK
R+o4EvpzZqCRhi7KMc8A8bVGI1D9QFzGqyoZfVGsvmwbsoMiOsBroK3MhJVv82kK
DxdLov7npvWCtL804ZUUiuSNAyEsPYhoUYYf4YxvD7plXPmpQ+GDUn3SSf/vKi8j
KCNYGAKPCMVDBMPczMw7elxMb0hh9myk4hggL0L/BzDck6EdPhqifJQL1ziO7FaO
taF32MHrhwuyjfCsedxoUxGgbreupr7qgQB/mA4hU9XRlzPY9tz9pFQI9Eadntla
hxu5FlXKGJ8+nJp2JAcvJAKAs4F7TTapZswjZtla9lgvznBtdGU9zHlkiSvNMMjX
qWq8L58wHklkpW0T8wO971eoryC4g1OvcJJCTbdKJwaQtVUZ5NtwuofWpoAFhHe5
HR+fwWSfPZVp0O7lf471DVbWhBrYj53W2X4sTW1xbKl7HvXDix8rGMpsrNg6lqav
BIdy8Zmb0BDBY0qNgcdp8/0zc6QuDaM84Dw2FlXTdRqQ805gqz75mckdqJAf5m49
lHwr0XE2ITJhU5oiEudPY313e88eEf5SyNCkCfJh7SEOhUrHDWxJW+iVFpuxgO6E
jfIvaKDaQ+Qri1LyxQe+/OFHyTcaVzs9Y1or28HE8RQNFM8JU2X8E8tT1gMBQB78
ZeOwxzm3f6wzU+JCEm/HQr6z04sceKDN98AaYd7aBXZVhAXSfM+AdRTcuQH1srQ9
s8iQXFR5uY2hl0HEaf0o6bA+W8FIRXS5bSvnxCJ5iZu1WltvZDozOQWOkAtiFiC3
11I35wA6z7NJqGwsbombqi06r4gze5A5vIMlFDOipdIrmVEmVKEtFeHWQcXQNOyw
BcaT5ZT6Gxbs6LsqHz80JZzO9kRD+/AXVH/qvobAxRFzf/SzmsvTyiW/daW9HbVu
Qenq9/A8ZGeZajmBBrjLEBiOQfK7WK6IvipoMkO2397Y+CIOwbrolDmQSHXFz8hW
xmfp1PUukGxCk9Ziha9Zm9MrWnOSsplJG0oJokTq4wsPVDDD8wFV3Zwjtw/MgBMk
5PhQvoYTNg5U/Ql/W+pLvo/JQSkvUr86TCHusawKUYKrSESlj8Pq7jFKL+2MDWkn
UrXBBsqhjh9X+ERx60PTQd9fXRnP/Y8du438Nme3c36hfoi7KoNq+Lla6qCt9XjJ
qnUdro6nllnp8MZbAVF0rVtKQPcfLUoxdVJvkAD0efOO7iuNTIfkoPipcUPzcLVb
V8c62awamYKNbf+fVqGGXo4whejRrcnjS2WGw8ZF6HZcwLs6yRv2GwKbjdzrvFdr
R0BTYh7FNiIMcf7ngqrbGR2kCik7Ydr7AoksRIpYzIEMdD0LLKENXUGME0e/+txI
blQwEC9cM3qGl9EejPkw1ajy+BQl4NHM0f7cOaDl3EqnA+djQbEpc9PsEpaL5/V5
2R2gEh4cjj0ZrAz9F23O6wjgKXPRc/me+8+VqI1xJ7VXm2AxwPEkUHyToGZz4tV7
i1j1kWaOwOh2gaE7+MAmf5u3cBBf7e3Op/WZ+boIKejHOfhYTsRdIXYrSUC2EkVJ
Pbyh3Ct6tad0TMoTIDAgBggrBgEFBQcHFwQU5mnJXy7/pJCuc+ZEzD+eHZZ3nFCh
ggEUMA0GCSqGSIb3DQEBBAUAA4IBAQCozeWLDpfZomweuD+8oaOhaoBVWaw2J+DJ
6NBoD/ctChWm45/VGEG0z0helX/qXDwAsinMNQLt5w0qiF/f532kd/yAABavRfSW
ApnK6z4cbXK+S6ZsGAcF0AnhbRwPSHQNjmgzU8tkNC+2WJ33RG3N63xT3G5rFweP
Fv1S/9vey5iWUnXIyYKU+RH4HfL+VWgXhkgQDfpai//HiJ1N6yiAFklUXZJEGXbf
MKxZ0stcDT+eDgcrM/5S7Mw8CqQwQG8Eh9LTav+/RzMQ1taaXUPDTAV+5WYq2JnU
T5x+9XVaaanVL5SWu9YGVRMRfQ2yuh89gH9bVYC80QqnG9c+LwwU

-----END NEW CERTIFICATE REQUEST-----

2. [root@auto-hv-02-guest02 ~]# pki -d certsdb  -c redhat -n "PKI CA Administrator for Example.Org" -h localhost  -p 8080 cert-request-submit caDualCert.xml

-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 13
  Type: enrollment
  Request Status: pending
  Operation Result: success

3. Approved the request from the CA agent page.

4. The certificate was generated and verified the Key has been archived in KRA.

Christina,

Is the above sufficient to mark this bug verified. Do I have to test the key generation using firefox? If so, which version of firefox should I test it with?
Comment 12 Christina Fu 2016-08-15 17:56:24 UTC 
as long as the key is verified to be archived, then it's good.
For the record, the "old firefox" I mentioned to have tested with in comment#6 is 
firefox-34.0.5
Comment 14 errata-xmlrpc 2016-11-04 05:38:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2403.html
Note You need to log in before you can comment on or make changes to this bug.