RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1378277 - Spurious host authority entries created
Summary: Spurious host authority entries created
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On:
Blocks: 1390322
TreeView+ depends on / blocked
Reported: 2016-09-22 02:39 UTC by Fraser Tweedale
Modified: 2020-10-04 21:15 UTC (History)
6 users (show)

Fixed In Version: pki-core-10.4.0-1.el7
Doc Type: Bug Fix
Doc Text:
PKI Server now correctly compares subject DNs during startup Due to a bug in the routine that adds a Lightweight CA entry for the primary CA, PKI Server previously failed to compare subject distinguished names (DN) if it contained attributes using encodings other than "UTF8String". As a consequence, every time the primary CA started, an additional Lightweight CA entry was added. PKI Server now compares the subject DNs in canonical form. As a result, PKI server no longer adds additional Lightweight CA entries in the mentioned scenario.
Clone Of:
: 1390322 (view as bug list)
Last Closed: 2017-08-01 22:46:01 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2595 0 None None None 2020-10-04 21:15:10 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Fraser Tweedale 2016-09-22 02:39:12 UTC
Description of problem:

CA startup creates an LWCA entry for host authority entry if it determines that one has not already been created. It determines if an LWCA entry corresponds to host CA but comparing DN from LDAP with DN from cert.

If DN from cert contains strings using PrintableString encoding, it will compare unequal to the DN from LDAP, which parses to UTF8String AVA values, resulting in addition of a suprious entry every time the server starts.

Version-Release number of selected component (if applicable):

How reproducible:

Always, if CA cert subject DN contains PrintableString encoded values.

Steps to Reproduce:
1. Install CA with externally-signed CA whose subject DN contains PrintableString-encoded values.
2. Restart CA.

Actual results: a new host authority entry is added to LDAP on every restart.

Expected results: CA startup properly matches the host authority LDAP entry
to the host authority, therefore does not add spurious entries.

Additional info:

Comment 3 Matthew Harmsen 2016-09-22 17:11:05 UTC
Moving from rhel-7.3.0 ==> rhel-7.4.0.

Bug has been marked as RHEL 7.3 ZStream candidate.

Comment 4 Matthew Harmsen 2016-09-26 16:17:59 UTC
On September 23, 2016, ftweedal checked-in the following:
* master (9043a08bef3723ca218ad7e5dd82be61166b5a1d)
* DOGTAG_10_3_BRANCH (84606cc69390187b7f0f11fff41a372fd96f8f93)

Comment 9 Geetika Kapoor 2017-06-23 22:02:13 UTC
rpm -qa pki-ca

Refer https://bugzilla.redhat.com/show_bug.cgi?id=1390322 for more details
Test case 1:
[root@pki1 ~]# curl -k https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27443/ca/rest/authorities
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><collection xmlns:ns2="http://www.w3.org/2005/Atom"><authority isHostAuthority="true" id="99c4df4e-4646-46c1-9934-0d7afb9d080b" issuerDN="CN=External CA,O=EXTERNAL" serial="4947" dn="CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor5,O=Example-Test-rhel-fips" enabled="true" description="Host authority" ready="true"/></collection>

Test Case 2:
 57   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 62  11:           PrintableString 'External CA'
       :           }
       :         }
       :       }
 75  30:     SEQUENCE {
 77  13:       UTCTime 23/06/2017 11:42:27 GMT
 92  13:       UTCTime 23/09/2017 11:42:27 GMT
       :       }
107 100:     SEQUENCE {
109  31:       SET {
111  29:         SEQUENCE {
113   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
118  22:           PrintableString 'Example-Test-rhel-fips'
       :           }
       :         }
142  32:       SET {
144  30:         SEQUENCE {
146   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
151  23:           PrintableString 'pki-ExternalCA-gkapoor5'
       :           }
       :         }
176  31:       SET {
178  29:         SEQUENCE {
180   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
185  22:           PrintableString 'CA Signing Certificate'
       :           }
       :         }
       :       }

Comment 12 errata-xmlrpc 2017-08-01 22:46:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.