1378275 – two-step externally-signed CA installation fails due to missing AuthorityID

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1378275 - two-step externally-signed CA installation fails due to missing AuthorityID

Summary: two-step externally-signed CA installation fails due to missing AuthorityID

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	7.3
Assignee:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Duplicates (1):	1378517 (view as bug list)
Depends On:
Blocks:	1390321
TreeView+	depends on / blocked

Reported:	2016-09-22 02:35 UTC by Fraser Tweedale
Modified:	2020-10-04 21:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pki-core-10.4.0-1.el7
Doc Type:	Bug Fix
Doc Text:	Certificate System does not start a Lightweight CA key replication during installation Previously, Certificate System incorrectly started a Lightweight CA key replication during a two-step installation. As a consequence, the installation failed and an error was displayed. With this update, the two-step installation does not start the Lightweight CA key replication and the installation completes successfully.
Clone Of:
Clones:	1390321 (view as bug list)
Environment:
Last Closed:	2017-08-01 22:46:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2586	0	None	None	None	2020-10-04 21:15:01 UTC
Red Hat Product Errata	RHBA-2017:2110	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 19:36:59 UTC

Description Fraser Tweedale 2016-09-22 02:35:18 UTC

Description of problem:

During two-step installation of externally-signed CA, installation can fail because host authority's private key cannot be located (a temporary condition), causing LWCA key replication codepaths to fire, which throw a NullPointerException? because the host authority has not yet been assigned an AuthorityID. 


Version-Release number of selected component (if applicable):


How reproducible:

Always?


Steps to Reproduce:
1. install CA using two-step externally-signed process

Actual results:

Installation fails with following output:

======================
Log file: /var/log/pki/pki-ca-spawn.20160921163609.log
Loading deployment configuration from external-step2.cfg.
Installing CA into /var/lib/pki/pki-tomcat.

Installation failed:
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.36 - Error report</title><style type="text/css">H1 {font-famil
y:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;ba
ckground-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:whi
te;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,san
s-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; 
background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerExceptio
n</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerExcepti
on</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this
 request.</u></p><p><b>exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerExcep
tion
        org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
...
</pre><p><b>root cause</b></p><pre>java.lang.NullPointerException
        java.util.TreeMap.getEntry(TreeMap.java:347)
        java.util.TreeMap.containsKey(TreeMap.java:232)
        java.util.Collections$SynchronizedMap.containsKey(Collections.java:2578)
        com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1572)
        com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:525)
        com.netscape.cmscore.apps.CMSEngine.reinit(CMSEngine.java:1344)
        com.netscape.certsrv.apps.CMS.reinit(CMS.java:191)
        com.netscape.cms.servlet.csadmin.ConfigurationUtils.reInitSubsystem(ConfigurationUtils.java:2299)
        org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:181)
        org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:121)
...
</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.36 logs.</u><
/p><hr class="line"><h3>Apache Tomcat/8.0.36</h3></body></html>

Please check the CA logs in /var/log/pki/pki-tomcat/ca.
======================


Expected results:  installation succeeds


Additional info:

Comment 3 Matthew Harmsen 2016-09-22 17:10:45 UTC

Moving from rhel-7.3.0 ==> rhel-7.4.0.

Bug has been marked as RHEL 7.3 ZStream candidate.

Comment 4 Matthew Harmsen 2016-09-23 22:24:24 UTC

*** Bug 1378517 has been marked as a duplicate of this bug. ***

Comment 5 Matthew Harmsen 2016-09-26 16:19:41 UTC

On September 23, 2016, ftweedal checked-in the following:
* master (3ea93c9b4bc03f3d79550d8bdfd1447ffa25238d)
* DOGTAG_10_3_BRANCH (fca5fd053434d112998c814bc6d9424b6a5bac98)

Comment 10 Geetika Kapoor 2017-06-22 12:14:19 UTC

Hi Fraser,Do you think this much testing is sufficient or I need to cover some other test case too..
Thanks

ExternalCA:

Using Another pki instance:
---------------------------

1. Csr is generated using step1 installation.

--         Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign


2. Sign the request using RootCA(pki).

Test steps:
-----------

2.1. pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr
2.2. Approve it from CA Agent page.
2.3. Signed certificate Extensions: AKI for Externally signed certificate == SKI of Signing CA
SKI for Externally signed CA should be new and unique.


            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
                        88:4D:23:18
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        3B:EB:A1:26:93:ED:D6:81:16:68:BB:AC:15:15:88:9A:
                        97:EA:B4:87
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Access Description: 
                        Method #0: ocsp
                        Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp



2.4. Signing CA certificate Extensions: Since this is RootCA it's SKI == AKI


            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
                        88:4D:23:18
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
                        88:4D:23:18
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Access Description: 
                        Method #0: ocsp
                        Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp

3. Perform the last step where we need to do External CA installation.
pkispawn -f ca_2.cfg -s CA -vvv


This should give a successful installation.

4. Stop the ExternalCA process.Change the cipher and restart.
5. Make sure you are able to sign the certificate.

==========================================================================================================================================


ExternalCA with nssdb::

SECret.123
SECret.456


1. Self signed ExternalCA certificate of nssdb(external.crt) with no SKI:

Usage of SKI is optional in case of self signed certificate.

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign


2. Ca signing certificate signed by the External.crt

        X509v3 extensions:
            Authority Information Access: 
                OCSP - URI:http://pki1.example.com:8080/ca/ocsp

            X509v3 Subject Key Identifier: 
                9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36:43:F3:12:8F
            X509v3 Authority Key Identifier: 
                0.
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign


3. Proceed with step 2 installation.

User Signed certificate extension
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36:
                        43:F3:12:8F
                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Access Description: 
                        Method #0: ocsp
                        Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27080/ca/ocsp
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key Encipherment 
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no 
                    Extended Key Usage: 
                        1.3.6.1.5.5.7.3.2
                        1.3.6.1.5.5.7.3.4

==================================================================================================================================

Comment 11 Fraser Tweedale 2017-06-22 23:36:33 UTC

Any two-step externally-signed CA installation is sufficient to
trigger the bug, so the above is sufficient.

Comment 12 Geetika Kapoor 2017-06-23 16:45:40 UTC

Moving bug to verified

Comment 15 errata-xmlrpc 2017-08-01 22:46:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.