Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1444432 - CA-less pkinit not installable with --pkinit-cert-file option
CA-less pkinit not installable with --pkinit-cert-file option
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Michal Reznik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-21 06:26 EDT by Petr Vobornik
Modified: 2017-08-01 05:48 EDT (History)
5 users (show)

See Also:
Fixed In Version: ipa-4.5.0-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:48:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
bz1444432 (9.19 KB, text/plain)
2017-06-07 08:29 EDT, Michal Reznik
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Petr Vobornik 2017-04-21 06:26:19 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6869

When installing PKINIT cert in CA-less installation and using the `--pkinit-cert-file` option, the installation always fails.

The reason the installation fails is that we require full chain in the `.p12` file that's fed to the above option. The file gets correctly exported to a PEM bundle in '/var/kerberos/krb5kdc/kdc.crt' but it will contain multiple certificates. OpenSSL does not know how to deal with this, it assumes there's only one certificate in the PEM file. If the first certificate is a CA cert, that will cause the installation to crash as it will be unable to test anonymous pkinit.

Indeed, `kinit -n` gives:
```
...
[48537] 1492084647.997132: Preauth module pkinit (147) (info) returned: 0/Success
[48537] 1492084647.997365: PKINIT OpenSSL error: Failed to verify CMS message
[48537] 1492084647.997387: PKINIT OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
[48537] 1492084647.997394: PKINIT OpenSSL error: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
[48537] 1492084647.997403: PKINIT OpenSSL error: error:2E09809E:CMS routines:CMS_SignerInfo_verify:verification failure
[48537] 1492084647.997427: PKINIT client could not verify DH reply
[48537] 1492084647.997437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: block type is not 01
kinit: Invalid signature while getting initial credentials
```
Comment 2 Petr Vobornik 2017-04-21 06:26:39 EDT
Upstream ticket:
https://pagure.io/freeipa/issue/6869
Comment 6 Michal Reznik 2017-06-07 08:29:08 EDT
Verified on:

ipa-server-4.5.0-14.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch

console logs attached...
Comment 7 Michal Reznik 2017-06-07 08:29 EDT
Created attachment 1285793 [details]
bz1444432
Comment 8 errata-xmlrpc 2017-08-01 05:48:56 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.