RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1374877 - Installer generates PKCS #12 with duplicate CA signing certificates
Summary: Installer generates PKCS #12 with duplicate CA signing certificates
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-09 23:15 UTC by Endi Sukma Dewata
Modified: 2016-09-19 18:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-19 18:07:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Endi Sukma Dewata 2016-09-09 23:15:14 UTC 
During CA installation on RHEL 6.8 the BackupKeyCertPanel will export the system certificates and the CA certificates (trust anchors) into a PKCS #12 file. However, since the CA signing certificate is considered both system certificate and trust anchor, it will be exported twice. The first copy will have a nickname, while the second copy will not have a nickname. Depending on how the PKCS #12 file is used, the duplicate certificates and the missing nickname may cause a problem.

Here's the relevant code in BackupKeyCertPanel.backupKeysCerts():

  // export system certificates with nicknames

  String certlist = cs.getString("preop.cert.list");
  StringTokenizer st = new StringTokenizer(certlist, ",");
  while (st.hasMoreTokens()) {
      String nickname = cs.getString("preop.cert." + t + ".nickname");
      addCertBag(x509cert, nickname, safeContents);
  }

  // export CA certificates without nicknames

  X509Certificate[] cacerts = cm.getCACerts();
  for (int i=0; i<cacerts.length; i++) {
      String nickname = null;
      addCertBag(cacerts[i], nickname, safeContents);
  }

The problem happens on RHEL 6.8 and possibly earlier RHEL 7.x. The problem does not happen on RHEL 7.3 since it uses a different code to export the certificates.

Steps to reproduce:
1. Install CA (or IPA). Make sure the backup option is enabled.
2. Inspect the content of the PKCS #12 file with this command:

  $ openssl pkcs12 -in cacert.p12 -passin file:password.txt

Actual results:

The CA certificate will appear twice:

  Bag Attributes
      localKeyID: ...
      friendlyName: caSigningCert cert-pki-ca
  subject=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority
  issuer=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority

  ...

  Bag Attributes: <No Attributes>
  subject=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority
  issuer=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority

Expected results:

Ideally the CA certificate should only appear once with the proper nickname.

Note that the PKCS12Export does not have this problem since it exports all certificates from the NSS database:

  X509Certificate[] certs = store.getCertificates();
  for (int i=0; i<certs.length; i++) {
      String nickname = certs[i].getNickname();
      if (prikey == null) { // certificate doesn't have a key, no nickname
          addCertBag(certs[i], null, safeContents);
      } else { // certificate has a key, include nickname
          addCertBag(certs[i], nickname, safeContents);
      }
  }

There are several options to address this issue:
1. Fix the code to generate a valid PKCS #12 file (i.e. no duplicate certificates).
2. Don't generate a PKCS #12 during install (i.e. no invalid PKCS #12 file).
3. Include a documentation or release note describing the problem, and possibly advising the users against using the PKCS #12 file generated during install.
4. Don't change anything, simply close this ticket as won't fix. This ticket will serve as a documentation.

As a workaround, the certificates can be exported correctly using PKCS12Export after installation.
Comment 3 Endi Sukma Dewata 2016-09-19 18:07:23 UTC 
This bug will not be fixed in PKI. IPA will implement a workaround in bug #1371519 by re-exporting the certificates using PKCS12Export.
Note You need to log in before you can comment on or make changes to this bug.