Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1378277 - Spurious host authority entries created
Spurious host authority entries created
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Fraser Tweedale
Asha Akkiangady
Marc Muehlfeld
: ZStream
Depends On:
Blocks: 1390322
  Show dependency treegraph
 
Reported: 2016-09-21 22:39 EDT by Fraser Tweedale
Modified: 2017-08-01 18:46 EDT (History)
6 users (show)

See Also:
Fixed In Version: pki-core-10.4.0-1.el7
Doc Type: Bug Fix
Doc Text:
PKI Server now correctly compares subject DNs during startup Due to a bug in the routine that adds a Lightweight CA entry for the primary CA, PKI Server previously failed to compare subject distinguished names (DN) if it contained attributes using encodings other than "UTF8String". As a consequence, every time the primary CA started, an additional Lightweight CA entry was added. PKI Server now compares the subject DNs in canonical form. As a result, PKI server no longer adds additional Lightweight CA entries in the mentioned scenario.
Story Points: ---
Clone Of:
: 1390322 (view as bug list)
Environment:
Last Closed: 2017-08-01 18:46:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2110 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 15:36:59 EDT

  None (edit)
Description Fraser Tweedale 2016-09-21 22:39:12 EDT 
Description of problem:

CA startup creates an LWCA entry for host authority entry if it determines that one has not already been created. It determines if an LWCA entry corresponds to host CA but comparing DN from LDAP with DN from cert.

If DN from cert contains strings using PrintableString encoding, it will compare unequal to the DN from LDAP, which parses to UTF8String AVA values, resulting in addition of a suprious entry every time the server starts.


Version-Release number of selected component (if applicable):


How reproducible:

Always, if CA cert subject DN contains PrintableString encoded values.


Steps to Reproduce:
1. Install CA with externally-signed CA whose subject DN contains PrintableString-encoded values.
2. Restart CA.

Actual results: a new host authority entry is added to LDAP on every restart.


Expected results: CA startup properly matches the host authority LDAP entry
to the host authority, therefore does not add spurious entries.


Additional info:
Comment 3 Matthew Harmsen 2016-09-22 13:11:05 EDT 
Moving from rhel-7.3.0 ==> rhel-7.4.0.

Bug has been marked as RHEL 7.3 ZStream candidate.
Comment 4 Matthew Harmsen 2016-09-26 12:17:59 EDT 
On September 23, 2016, ftweedal checked-in the following:
* master (9043a08bef3723ca218ad7e5dd82be61166b5a1d)
* DOGTAG_10_3_BRANCH (84606cc69390187b7f0f11fff41a372fd96f8f93)
Comment 9 Geetika Kapoor 2017-06-23 18:02:13 EDT 
rpm -qa pki-ca
pki-ca-10.4.1-10.el7.noarch

Refer https://bugzilla.redhat.com/show_bug.cgi?id=1390322 for more details
Test case 1:
[root@pki1 ~]# curl -k https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27443/ca/rest/authorities
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><collection xmlns:ns2="http://www.w3.org/2005/Atom"><authority isHostAuthority="true" id="99c4df4e-4646-46c1-9934-0d7afb9d080b" issuerDN="CN=External CA,O=EXTERNAL" serial="4947" dn="CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor5,O=Example-Test-rhel-fips" enabled="true" description="Host authority" ready="true"/></collection>

Test Case 2:
   SEQUENCE {
 57   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 62  11:           PrintableString 'External CA'
       :           }
       :         }
       :       }
 75  30:     SEQUENCE {
 77  13:       UTCTime 23/06/2017 11:42:27 GMT
 92  13:       UTCTime 23/09/2017 11:42:27 GMT
       :       }
107 100:     SEQUENCE {
109  31:       SET {
111  29:         SEQUENCE {
113   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
118  22:           PrintableString 'Example-Test-rhel-fips'
       :           }
       :         }
142  32:       SET {
144  30:         SEQUENCE {
146   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
151  23:           PrintableString 'pki-ExternalCA-gkapoor5'
       :           }
       :         }
176  31:       SET {
178  29:         SEQUENCE {
180   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
185  22:           PrintableString 'CA Signing Certificate'
       :           }
       :         }
       :       }
Comment 12 errata-xmlrpc 2017-08-01 18:46:01 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.