1390322 – Spurious host authority entries created

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1390322 - Spurious host authority entries created

Summary: Spurious host authority entries created

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:	1378277
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-31 17:04 UTC by Tom Lavigne
Modified:	2016-12-06 17:05 UTC (History)
CC List:	10 users (show)
Fixed In Version:	pki-core-10.3.3-12.el7_3
Doc Type:	Bug Fix
Doc Text:	Previously, when the CA's Subject Distinguished Name contained values that used string encodings other than "UTF8String", the string always compared as unequal to itself when parsed from a string. This caused Certificate System to add a new LDAP authority entry to the main CA every time the CA was started. With this update, Certificate System compares string representations of the Subject DNs instead of "X500Name" values used previously, which fixes the underlying problem and prevents unneeded LDAP authority entries from being added on every startup.
Clone Of:	1378277
Environment:
Last Closed:	2016-12-06 17:05:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2881	0	normal	SHIPPED_LIVE	pki-core bug fix update	2016-12-06 22:00:37 UTC

Description Tom Lavigne 2016-10-31 17:04:52 UTC

This bug has been copied from bug #1378277 and has been proposed
to be backported to 7.3 z-stream (EUS).

Comment 5 Fraser Tweedale 2016-11-09 10:08:16 UTC

Steps to verify:

1) Install with externally-signed CA.  The CA subject DN MUST use an ASN.1
   string encoding other than UTF8String, e.g. PrintableString.

2) Restart the server multiple times.  Ensure that no new authority entries
   get added upon server restart.  i.e. ``GET /ca/rest/authorities`` must
   return a single authority object.

Comment 6 Geetika Kapoor 2016-11-10 14:11:53 UTC

Hello Fraser,

Could you please elaborate how this fix effect the functionality and how it effects end users so that we can test it better. Also, what are the test areas that we need to cover as part of sanity and regression.

Thanks
Geetika

Comment 7 Fraser Tweedale 2016-11-13 23:49:59 UTC

Hi Geetika,

The impact of this bug is that a new lightweight CA entry for the main CA (a.k.a. "host authority") gets added every time Dogtag starts.

The bug occurs when the Subject DN of the main CA's certificate does not use UTF8String encoding, e.g. PrintableString.  Therefore, to test/verify the fix
it is necessary to have an externally signed CA that creates a certificate
with, e.g. PrintableString encoding of Subject DN attribute values.

To confirm the fix, the only area you need to test is the lightweight CA API,
namely ``GET /ca/rest/authorities''.  There should be one entry for the
"host authority", even after restart.

Hope that helps.
Fraser

Comment 8 Geetika Kapoor 2016-11-14 16:59:34 UTC

Hello Fraser,

Do you think this much testing is fine or do i need to cover some more test cases?

UI :: 

<collection><authority isHostAuthority="true" id="b9156055-1cc1-4a08-8926-c4d2297b90f0" issuerDN="CN=External CA,O=EXTERNAL" serial="13112" dn="CN=CA Signing Certificate,OU=Test_ExternalCA1,O=EXAMPLE" enabled="true" description="Host authority" ready="true"/></collection>


Test Case 1: Without restart
=============================

curl --silent -v -k --header "Accept: application/x-pem-file" https://hostname:28142/ca/rest/authorities/b9156055-1cc1-4a08-8926-c4d2297b90f0/chain | openssl pkcs7 -text
* About to connect() to hostname port 28142 (#0)
*   Trying 10.8.60.26...
* Connected to hostname (10.8.60.26) port 28142 (#0)
* Initializing NSS with certpath: sql:/tmp/test
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=hostname,OU=Test_ExternalCA1,O=EXAMPLE
* 	start date: Nov 14 16:21:01 2016 GMT
* 	expire date: Feb 14 16:19:05 2017 GMT
* 	common name: hostname
* 	issuer: CN=CA Signing Certificate,OU=Test_ExternalCA1,O=EXAMPLE
> GET /ca/rest/authorities/b9156055-1cc1-4a08-8926-c4d2297b90f0/chain HTTP/1.1
> User-Agent: curl/7.29.0
> Host: hostname:28142
> Accept: application/x-pem-file
> 
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Expires: Wed, 31 Dec 1969 19:00:00 EST
< Content-Type: application/x-pem-file
< Content-Length: 2270
< Date: Mon, 14 Nov 2016 16:50:08 GMT
< 
{ [data not shown]
* Connection #0 to host hostname left intact
-----BEGIN PKCS7-----
MIIGTgYJKoZIhvcNAQcCoIIGPzCCBjsCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG
HzCCAwEwggHpoAMCAQICAgKYMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNVBAoTCEVY
VEVSTkFMMRQwEgYDVQQDEwtFeHRlcm5hbCBDQTAeFw0xNjExMTQxNjE5MDVaFw0x
NzAyMTQxNjE5MDVaMCkxETAPBgNVBAoTCEVYVEVSTkFMMRQwEgYDVQQDEwtFeHRl
cm5hbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3Njoaa7giF
fVT881pTOmHfvrexfI5EoR6xUz2G74wAWnXGjIbw2QHFzF6uS3aR2DZjlyQt+3Dn
05eg0wXPnAOz3Lf6mP04k2pfzdVkDCOym/VHm+WGztzkjo00+giYhJtKZK3Wp1nJ
96uP9gmR0xOPUMtOwXCxb8AO7h4qea+gZ0zvOgJAsn2+kFF2GW+xAY5DaAgMnwdX
bxpg15oSQ5pC2f5GIHILFkijMyK31s1k4KwiD90jq0eP2QNoKsvds0sYiIkl2WJr
nIyMnlxVv0STcpiCmSkAsJaWb+vjXZDF/Z+0UU5v1xhhFfkccAeJgw223rwkaAQM
VbyXbzTU8+ECAwEAAaMzMDEwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF
MAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBCwUAA4IBAQBhT21Byf3iQmsC
E3CSwW6likYvEyN0OFMzdy8YTXcd0OhG9DpkwWme4LOygCFe6+OYS7r7/uXUGfB8
ZoTE/iQ79C3dblG8866hKM7izZ56/Z6Sxj+7zAs8wEDajUuVbAqJDSk2+BBx4f3A
mk4Yk+EuRMFG52ZFMJJrB8ZXCdYklRQUA1Kc4++Mkn+8Dj0vLHfSTrZNwrlWT7Ku
4pWPIDLRIaLcKQJDfn8GMcQHe+Qfb8rGLxgha/hTnZkj/m6pRtRi1Ccz2W5f8Q8A
7ZnYQKHbPEzDdDaCpUkgzMjYx5ppArfcqFBZkZY5gQ32lyNcy+/w7plXMPZxqhps
ooT/7HVbMIIDFjCCAf6gAwIBAgICMzgwDQYJKoZIhvcNAQELBQAwKTERMA8GA1UE
ChMIRVhURVJOQUwxFDASBgNVBAMTC0V4dGVybmFsIENBMB4XDTE2MTExNDE2MTkw
NVoXDTE3MDIxNDE2MTkwNVowTjEQMA4GA1UEChMHRVhBTVBMRTEZMBcGA1UECwwQ
VGVzdF9FeHRlcm5hbENBMTEfMB0GA1UEAxMWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HTrHa6mILsNuJV3CB
dW15PjmUWf80Ez2TAJaO/BcCwHK7YWEiUUrk+Ev2a0zhhw2B8Lp5LJGHEjTp37Iw
Llfzkh3FEcIBoW1GV2ajIJQwSjaya8QTjoI2dMgW0szY6lLZrsrx7KVl0V9woe4Y
O9AO5Uge7Ry+LlCQAS47l9lQB5ns4Nl8I/nPF3doHDreSidQ4rdVDFQ2bilt+ah1
puLJO/C1/vnTIZcq9nFAdelnA8bx8/kOLkFU3oLnh4KN4FdpCckzCpD+wreNhRxB
lEFg/gWN/q0ioHk01ydqt9BCl9vuWA8uGO7qFqRZn3/Inxjdk92pfJ6PDBCcioSL
OL8CAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJ
KoZIhvcNAQELBQADggEBACA3HssAf1xo2LOXVBwiXiPDkwItqalV62Uv+LCDnLy2
XuWV5wP8Mg3lM2Rb49pq53+ODQRYgjvh8fq/nxz5l0ErkCy1pTpyUXlEr4GgV/zi
QPzfqCTJhAn5V3NhXaV5rm2yoGkAFVOidKmIF3Ko6moleWWDSC2sYDv+bQ88GOqM
6sPuBFKKXS7Ohb7xPjR9qtYi8Y847S150ogD2DjIDFGg6V6gcF9JIDp+PfEF3PQq
pHrgY7EUJ0qnBZ0jZc6aLb+nO68H4Ja3cgdXZfUkMk2HDr6nJme3KNBDUPgcOQMW
UlU1Bhfyx/x/RvNjDlFZ16yQ1KRXAuDRTReIzXAK2mUxAA==
-----END PKCS7-----



Test Case 2: After ExternalCA installation, we restarted the instance
=====================================================================

root@nocp30 externalCA # systemctl restart pki-tomcatd

root@nocp30 externalCA # curl --silent -v -k --header "Accept: application/x-pem-file" https://hostname:28142/ca/rest/authorities/b9156055-1cc1-4a08-8926-c4d2297b90f0/chain | openssl pkcs7 -text
* About to connect() to hostname port 28142 (#0)
*   Trying 10.8.60.26...
* Connected to hostname (10.8.60.26) port 28142 (#0)
* Initializing NSS with certpath: sql:/tmp/test
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=hostname,OU=Test_ExternalCA1,O=EXAMPLE
* 	start date: Nov 14 16:21:01 2016 GMT
* 	expire date: Feb 14 16:19:05 2017 GMT
* 	common name: hostname
* 	issuer: CN=CA Signing Certificate,OU=Test_ExternalCA1,O=EXAMPLE
> GET /ca/rest/authorities/b9156055-1cc1-4a08-8926-c4d2297b90f0/chain HTTP/1.1
> User-Agent: curl/7.29.0
> Host: hostname:28142
> Accept: application/x-pem-file
> 
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Expires: Wed, 31 Dec 1969 19:00:00 EST
< Content-Type: application/x-pem-file
< Content-Length: 2270
< Date: Mon, 14 Nov 2016 16:52:36 GMT
< 
{ [data not shown]
* Connection #0 to host hostname left intact
-----BEGIN PKCS7-----
MIIGTgYJKoZIhvcNAQcCoIIGPzCCBjsCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG
HzCCAwEwggHpoAMCAQICAgKYMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNVBAoTCEVY
VEVSTkFMMRQwEgYDVQQDEwtFeHRlcm5hbCBDQTAeFw0xNjExMTQxNjE5MDVaFw0x
NzAyMTQxNjE5MDVaMCkxETAPBgNVBAoTCEVYVEVSTkFMMRQwEgYDVQQDEwtFeHRl
cm5hbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3Njoaa7giF
fVT881pTOmHfvrexfI5EoR6xUz2G74wAWnXGjIbw2QHFzF6uS3aR2DZjlyQt+3Dn
05eg0wXPnAOz3Lf6mP04k2pfzdVkDCOym/VHm+WGztzkjo00+giYhJtKZK3Wp1nJ
96uP9gmR0xOPUMtOwXCxb8AO7h4qea+gZ0zvOgJAsn2+kFF2GW+xAY5DaAgMnwdX
bxpg15oSQ5pC2f5GIHILFkijMyK31s1k4KwiD90jq0eP2QNoKsvds0sYiIkl2WJr
nIyMnlxVv0STcpiCmSkAsJaWb+vjXZDF/Z+0UU5v1xhhFfkccAeJgw223rwkaAQM
VbyXbzTU8+ECAwEAAaMzMDEwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF
MAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBCwUAA4IBAQBhT21Byf3iQmsC
E3CSwW6likYvEyN0OFMzdy8YTXcd0OhG9DpkwWme4LOygCFe6+OYS7r7/uXUGfB8
ZoTE/iQ79C3dblG8866hKM7izZ56/Z6Sxj+7zAs8wEDajUuVbAqJDSk2+BBx4f3A
mk4Yk+EuRMFG52ZFMJJrB8ZXCdYklRQUA1Kc4++Mkn+8Dj0vLHfSTrZNwrlWT7Ku
4pWPIDLRIaLcKQJDfn8GMcQHe+Qfb8rGLxgha/hTnZkj/m6pRtRi1Ccz2W5f8Q8A
7ZnYQKHbPEzDdDaCpUkgzMjYx5ppArfcqFBZkZY5gQ32lyNcy+/w7plXMPZxqhps
ooT/7HVbMIIDFjCCAf6gAwIBAgICMzgwDQYJKoZIhvcNAQELBQAwKTERMA8GA1UE
ChMIRVhURVJOQUwxFDASBgNVBAMTC0V4dGVybmFsIENBMB4XDTE2MTExNDE2MTkw
NVoXDTE3MDIxNDE2MTkwNVowTjEQMA4GA1UEChMHRVhBTVBMRTEZMBcGA1UECwwQ
VGVzdF9FeHRlcm5hbENBMTEfMB0GA1UEAxMWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HTrHa6mILsNuJV3CB
dW15PjmUWf80Ez2TAJaO/BcCwHK7YWEiUUrk+Ev2a0zhhw2B8Lp5LJGHEjTp37Iw
Llfzkh3FEcIBoW1GV2ajIJQwSjaya8QTjoI2dMgW0szY6lLZrsrx7KVl0V9woe4Y
O9AO5Uge7Ry+LlCQAS47l9lQB5ns4Nl8I/nPF3doHDreSidQ4rdVDFQ2bilt+ah1
puLJO/C1/vnTIZcq9nFAdelnA8bx8/kOLkFU3oLnh4KN4FdpCckzCpD+wreNhRxB
lEFg/gWN/q0ioHk01ydqt9BCl9vuWA8uGO7qFqRZn3/Inxjdk92pfJ6PDBCcioSL
OL8CAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJ
KoZIhvcNAQELBQADggEBACA3HssAf1xo2LOXVBwiXiPDkwItqalV62Uv+LCDnLy2
XuWV5wP8Mg3lM2Rb49pq53+ODQRYgjvh8fq/nxz5l0ErkCy1pTpyUXlEr4GgV/zi
QPzfqCTJhAn5V3NhXaV5rm2yoGkAFVOidKmIF3Ko6moleWWDSC2sYDv+bQ88GOqM
6sPuBFKKXS7Ohb7xPjR9qtYi8Y847S150ogD2DjIDFGg6V6gcF9JIDp+PfEF3PQq
pHrgY7EUJ0qnBZ0jZc6aLb+nO68H4Ja3cgdXZfUkMk2HDr6nJme3KNBDUPgcOQMW
UlU1Bhfyx/x/RvNjDlFZ16yQ1KRXAuDRTReIzXAK2mUxAA==
-----END PKCS7-----


Test Case 3: Stop / start the instance.
======================================
curl --silent -v -k --header "Accept: application/x-pem-file" https://hostname:28142/ca/rest/authorities/b9156055-1cc1-4a08-8926-c4d2297b90f0/chain | openssl pkcs7 -text
* About to connect() to hostname port 28142 (#0)
*   Trying 10.8.60.26...
* Connected to hostname (10.8.60.26) port 28142 (#0)
* Initializing NSS with certpath: sql:/tmp/test
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=hostname,OU=Test_ExternalCA1,O=EXAMPLE
* 	start date: Nov 14 16:21:01 2016 GMT
* 	expire date: Feb 14 16:19:05 2017 GMT
* 	common name: hostname
* 	issuer: CN=CA Signing Certificate,OU=Test_ExternalCA1,O=EXAMPLE
> GET /ca/rest/authorities/b9156055-1cc1-4a08-8926-c4d2297b90f0/chain HTTP/1.1
> User-Agent: curl/7.29.0
> Host: hostname:28142
> Accept: application/x-pem-file
> 
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Expires: Wed, 31 Dec 1969 19:00:00 EST
< Content-Type: application/x-pem-file
< Content-Length: 2270
< Date: Mon, 14 Nov 2016 16:54:38 GMT
< 
{ [data not shown]
* Connection #0 to host hostname left intact
-----BEGIN PKCS7-----
MIIGTgYJKoZIhvcNAQcCoIIGPzCCBjsCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIG
HzCCAwEwggHpoAMCAQICAgKYMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNVBAoTCEVY
VEVSTkFMMRQwEgYDVQQDEwtFeHRlcm5hbCBDQTAeFw0xNjExMTQxNjE5MDVaFw0x
NzAyMTQxNjE5MDVaMCkxETAPBgNVBAoTCEVYVEVSTkFMMRQwEgYDVQQDEwtFeHRl
cm5hbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3Njoaa7giF
fVT881pTOmHfvrexfI5EoR6xUz2G74wAWnXGjIbw2QHFzF6uS3aR2DZjlyQt+3Dn
05eg0wXPnAOz3Lf6mP04k2pfzdVkDCOym/VHm+WGztzkjo00+giYhJtKZK3Wp1nJ
96uP9gmR0xOPUMtOwXCxb8AO7h4qea+gZ0zvOgJAsn2+kFF2GW+xAY5DaAgMnwdX
bxpg15oSQ5pC2f5GIHILFkijMyK31s1k4KwiD90jq0eP2QNoKsvds0sYiIkl2WJr
nIyMnlxVv0STcpiCmSkAsJaWb+vjXZDF/Z+0UU5v1xhhFfkccAeJgw223rwkaAQM
VbyXbzTU8+ECAwEAAaMzMDEwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF
MAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBCwUAA4IBAQBhT21Byf3iQmsC
E3CSwW6likYvEyN0OFMzdy8YTXcd0OhG9DpkwWme4LOygCFe6+OYS7r7/uXUGfB8
ZoTE/iQ79C3dblG8866hKM7izZ56/Z6Sxj+7zAs8wEDajUuVbAqJDSk2+BBx4f3A
mk4Yk+EuRMFG52ZFMJJrB8ZXCdYklRQUA1Kc4++Mkn+8Dj0vLHfSTrZNwrlWT7Ku
4pWPIDLRIaLcKQJDfn8GMcQHe+Qfb8rGLxgha/hTnZkj/m6pRtRi1Ccz2W5f8Q8A
7ZnYQKHbPEzDdDaCpUkgzMjYx5ppArfcqFBZkZY5gQ32lyNcy+/w7plXMPZxqhps
ooT/7HVbMIIDFjCCAf6gAwIBAgICMzgwDQYJKoZIhvcNAQELBQAwKTERMA8GA1UE
ChMIRVhURVJOQUwxFDASBgNVBAMTC0V4dGVybmFsIENBMB4XDTE2MTExNDE2MTkw
NVoXDTE3MDIxNDE2MTkwNVowTjEQMA4GA1UEChMHRVhBTVBMRTEZMBcGA1UECwwQ
VGVzdF9FeHRlcm5hbENBMTEfMB0GA1UEAxMWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HTrHa6mILsNuJV3CB
dW15PjmUWf80Ez2TAJaO/BcCwHK7YWEiUUrk+Ev2a0zhhw2B8Lp5LJGHEjTp37Iw
Llfzkh3FEcIBoW1GV2ajIJQwSjaya8QTjoI2dMgW0szY6lLZrsrx7KVl0V9woe4Y
O9AO5Uge7Ry+LlCQAS47l9lQB5ns4Nl8I/nPF3doHDreSidQ4rdVDFQ2bilt+ah1
puLJO/C1/vnTIZcq9nFAdelnA8bx8/kOLkFU3oLnh4KN4FdpCckzCpD+wreNhRxB
lEFg/gWN/q0ioHk01ydqt9BCl9vuWA8uGO7qFqRZn3/Inxjdk92pfJ6PDBCcioSL
OL8CAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJ
KoZIhvcNAQELBQADggEBACA3HssAf1xo2LOXVBwiXiPDkwItqalV62Uv+LCDnLy2
XuWV5wP8Mg3lM2Rb49pq53+ODQRYgjvh8fq/nxz5l0ErkCy1pTpyUXlEr4GgV/zi
QPzfqCTJhAn5V3NhXaV5rm2yoGkAFVOidKmIF3Ko6moleWWDSC2sYDv+bQ88GOqM
6sPuBFKKXS7Ohb7xPjR9qtYi8Y847S150ogD2DjIDFGg6V6gcF9JIDp+PfEF3PQq
pHrgY7EUJ0qnBZ0jZc6aLb+nO68H4Ja3cgdXZfUkMk2HDr6nJme3KNBDUPgcOQMW
UlU1Bhfyx/x/RvNjDlFZ16yQ1KRXAuDRTReIzXAK2mUxAA==
-----END PKCS7-----

Comment 9 Endi Sukma Dewata 2016-11-14 19:46:11 UTC

Hi Geetika,

As Fraser mentioned in comment #5 and #7, could you verify that the subject DN of the externally-signed CA signing certificate is using PrintableString? For example:

$ AtoB ca_signing.pem ca_signing.der
$ dumpasn1 ca_signing.der
...
107  72:     SEQUENCE {
109  16:       SET {
111  14:         SEQUENCE {
113   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
118   7:           PrintableString 'EXAMPLE'
       :           }
       :         }
127  19:       SET {
129  17:         SEQUENCE {
131   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
136  10:           PrintableString 'pki-tomcat'
       :           }
       :         }
148  31:       SET {
150  29:         SEQUENCE {
152   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
157  22:           PrintableString 'CA Signing Certificate'
       :           }
       :         }
       :       }
...

Then run the following command:

$ curl -k https://<hostname>:<port>/ca/rest/authorities

and verify that it returns exactly one <authority> element, for example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<collection xmlns:ns2="http://www.w3.org/2005/Atom">
    <authority
        isHostAuthority="true"
        id="cce899e2-75e5-4a9b-9697-c97fc5d2e812"
        issuerDN="CN=External CA,O=EXTERNAL"
        serial="30955"
        dn="CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE"
        enabled="true"
        description="Host authority"
        ready="true"/>
</collection>

Then restart the server several times and verify that the above command always returns the same output.

Thanks.

Comment 10 Geetika Kapoor 2016-11-15 07:10:36 UTC

Hi Endi,

Here is the ASN format.For OU i still see UTF8String for others it is PrintableString.That means any field in Subject DN should be either PRINTABLESTRING or UTF8STRING. For nssdb it's all PRINTABLESTRING. For our Dogtag CA it is all PRINTABLESTRING except "OU"

Test case 1:
------------
For any third party CA like nssdb i could see ASN format as:
=============================================================

openssl x509 -in external_chk.crt -subject  -nameopt multiline,show_type -noout -subject_hash
subject= 
    organizationName          = PRINTABLESTRING:EXTERNAL
    organizationalUnitName    = PRINTABLESTRING:Test
    commonName                = PRINTABLESTRING:External CA
8461cfb9

After signing ExternalCA if i verify the ca_signing.crt i could see:
====================================================================

openssl x509 -in cert_ex -subject -nameopt multiline,show_type -noout -subject_hash 
subject= 
    organizationName          = PRINTABLESTRING:EXAMPLE
    organizationalUnitName    = UTF8STRING:Test_ExternalCA1
    commonName                = PRINTABLESTRING:CA Signing Certificate

Test Case 2: 
-------------
Add other optional subject dn fields in dogtag CA default.cfg and check the encoding pattern.

openssl x509 -in ca_signing.crt -subject -nameopt multiline,show_type -noout -subject_hash 
subject= 
    localityName              = PRINTABLESTRING:Pasadena
    stateOrProvinceName       = PRINTABLESTRING:Maryland
    countryName               = PRINTABLESTRING:US
    organizationName          = PRINTABLESTRING:EXAMPLE
    organizationalUnitName    = UTF8STRING:Test_ExternalCA2
    commonName                = PRINTABLESTRING:CA Signing Certificate



Test Case 3: Restart the pki instance and verify the output of curl.
------------

Before Restart
---------------
curl -k https://nocp30.idm.lab.eng.rdu2.redhat.com:31142/ca/rest/authorities
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><collection xmlns:ns2="http://www.w3.org/2005/Atom"><authority isHostAuthority="true" id="527feaf6-4ff4-496a-b469-4c99e5d4bc24" issuerDN="CN=External CA,O=EXTERNAL" serial="15938" dn="CN=CA Signing Certificate,OU=Test_ExternalCA3,O=EXAMPLE,C=US,ST=Maryland,L=Pasadena" enabled="true" description="Host authority" ready="true"/></collection>

After Restart
--------------

curl -k https://nocp30.idm.lab.eng.rdu2.redhat.com:31142/ca/rest/authorities
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><collection xmlns:ns2="http://www.w3.org/2005/Atom"><authority isHostAuthority="true" id="527feaf6-4ff4-496a-b469-4c99e5d4bc24" issuerDN="CN=External CA,O=EXTERNAL" serial="15938" dn="CN=CA Signing Certificate,OU=Test_ExternalCA3,O=EXAMPLE,C=US,ST=Maryland,L=Pasadena" enabled="true" description="Host authority" ready="true"/></collection>

Comment 11 Fraser Tweedale 2016-11-15 07:23:16 UTC

Geetika, LGTM.  It suffices for any Subject DN component of the Dogtag CA
to use an encoding other than UTF8String, and your test meets
that criteria.

Comment 12 Geetika Kapoor 2016-11-15 08:19:32 UTC

Marking this bug verified

Comment 14 errata-xmlrpc 2016-12-06 17:05:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2881.html

Note You need to log in before you can comment on or make changes to this bug.