Bug 1444432 - CA-less pkinit not installable with --pkinit-cert-file option
Summary: CA-less pkinit not installable with --pkinit-cert-file option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-21 10:26 UTC by Petr Vobornik
Modified: 2017-08-01 09:48 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:48:56 UTC
Target Upstream Version:

Attachments (Terms of Use)
bz1444432 (9.19 KB, text/plain)
2017-06-07 12:29 UTC, Michal Reznik 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-04-21 10:26:19 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6869

When installing PKINIT cert in CA-less installation and using the `--pkinit-cert-file` option, the installation always fails.

The reason the installation fails is that we require full chain in the `.p12` file that's fed to the above option. The file gets correctly exported to a PEM bundle in '/var/kerberos/krb5kdc/kdc.crt' but it will contain multiple certificates. OpenSSL does not know how to deal with this, it assumes there's only one certificate in the PEM file. If the first certificate is a CA cert, that will cause the installation to crash as it will be unable to test anonymous pkinit.

Indeed, `kinit -n` gives:
```
...
[48537] 1492084647.997132: Preauth module pkinit (147) (info) returned: 0/Success
[48537] 1492084647.997365: PKINIT OpenSSL error: Failed to verify CMS message
[48537] 1492084647.997387: PKINIT OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
[48537] 1492084647.997394: PKINIT OpenSSL error: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
[48537] 1492084647.997403: PKINIT OpenSSL error: error:2E09809E:CMS routines:CMS_SignerInfo_verify:verification failure
[48537] 1492084647.997427: PKINIT client could not verify DH reply
[48537] 1492084647.997437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: block type is not 01
kinit: Invalid signature while getting initial credentials
```
Comment 2 Petr Vobornik 2017-04-21 10:26:39 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6869
Comment 6 Michal Reznik 2017-06-07 12:29:08 UTC 
Verified on:

ipa-server-4.5.0-14.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch

console logs attached...
Comment 7 Michal Reznik 2017-06-07 12:29:43 UTC 
Created attachment 1285793 [details]
bz1444432
Comment 8 errata-xmlrpc 2017-08-01 09:48:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.