Bug 1461533
| Summary: | Unable to find keys in the p12 file after deleting the any of the subsystem certs from it | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Roshni <rpattath> |
| Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | lmiksik, mharmsen |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.4.1-10.el7 | Doc Type: | No Doc Update |
| Doc Text: |
undefined
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 22:52:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Roshni
2017-06-14 17:32:00 UTC
http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_PKCS12_File cannot be tested because of this issue. More information: [root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 5 entries found --------------- Key ID: 84fc8b893166c5b1c019d64971df4364d5013bd9 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Key ID: d878ba1b5cfb5bac41b4cda35d6d4bf90c4ae03 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Key ID: 2aa4295e5121c7aa81de66e1a410c9b3ea402953 Subject DN: CN=cloud-qe-19.idmqe.lab.eng.bos.redhat.com,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Key ID: f352186fcb9855d639113e82576bc11816f462a8 Subject DN: CN=Subsystem Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Key ID: 127254ff86be472a7fcbc0dcd6b5602b10f12dae Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain [root@nightcrawler ~]# pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 5 entries found --------------- Certificate ID: 84fc8b893166c5b1c019d64971df4364d5013bd9 Serial Number: 0xb59aeb9 Nickname: caSigningCert cert-pki-tomcat-ca-rpattath CA Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: CTu,Cu,Cu Has Key: true Certificate ID: d878ba1b5cfb5bac41b4cda35d6d4bf90c4ae03 Serial Number: 0xae25138 Nickname: ocspSigningCert cert-pki-tomcat-ca-rpattath CA Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: u,u,u Has Key: true Certificate ID: 2aa4295e5121c7aa81de66e1a410c9b3ea402953 Serial Number: 0x3a59faa Nickname: Server-Cert cert-pki-tomcat-ca-rpattath Subject DN: CN=cloud-qe-19.idmqe.lab.eng.bos.redhat.com,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: u,u,u Has Key: true Certificate ID: f352186fcb9855d639113e82576bc11816f462a8 Serial Number: 0xa2b677 Nickname: subsystemCert cert-pki-tomcat-ca-rpattath Subject DN: CN=Subsystem Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: u,u,u Has Key: true Certificate ID: 127254ff86be472a7fcbc0dcd6b5602b10f12dae Serial Number: 0x4e1a3bd Nickname: auditSigningCert cert-pki-tomcat-ca-rpattath CA Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: u,u,Pu Has Key: true [root@nightcrawler ~]# pki pkcs12-cert-del "ocspSigningCert cert-pki-tomcat-ca-rpattath CA" --pkcs12-file ca.p12 --pkcs12-password-file password.txt -------------------------------------------------------------------- Deleted certificate "ocspSigningCert cert-pki-tomcat-ca-rpattath CA" -------------------------------------------------------------------- [root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 0 entries found --------------- [root@nightcrawler ~]# pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 4 entries found --------------- Certificate ID: 84fc8b893166c5b1c019d64971df4364d5013bd9 Serial Number: 0xb59aeb9 Nickname: caSigningCert cert-pki-tomcat-ca-rpattath CA Subject DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: CTu,Cu,Cu Has Key: false Certificate ID: 2aa4295e5121c7aa81de66e1a410c9b3ea402953 Serial Number: 0x3a59faa Nickname: Server-Cert cert-pki-tomcat-ca-rpattath Subject DN: CN=cloud-qe-19.idmqe.lab.eng.bos.redhat.com,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: u,u,u Has Key: false Certificate ID: f352186fcb9855d639113e82576bc11816f462a8 Serial Number: 0xa2b677 Nickname: subsystemCert cert-pki-tomcat-ca-rpattath Subject DN: CN=Subsystem Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: u,u,u Has Key: false Certificate ID: 127254ff86be472a7fcbc0dcd6b5602b10f12dae Serial Number: 0x4e1a3bd Nickname: auditSigningCert cert-pki-tomcat-ca-rpattath CA Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat-ca-rpattath,O=idmqe.lab.eng.bos.redhat.com Security Domain Trust Flags: u,u,Pu Has Key: false Gerrit review for fix: https://review.gerrithub.io/365533 commit a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de
Author: Fraser Tweedale <ftweedal>
Date: Thu Jun 15 12:38:26 2017 +1000
Fix regression in pkcs12 key bag creation
Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12
file handing to never deal with raw private key material.
PKCS12Util.addKeyBag() was changed to export the PrivateKey handle,
or fail. This change missed this case where a PKCS #12 file is
loaded from file, possibly modified, then written back to a file,
without involving an NSSDB. One example is pkcs12-cert-del which
deletes a certificate and associated key from a PKCS #12 file.
Fix the PKCS12Util.addKeyBag() method to use the stored
EncryptedPricateKeyInfo if available, otherwise export the
PrivateKey handle.
Fixes: https://pagure.io/dogtagpki/issue/2741
Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
commit 887d70ce1b8c4a00f62c2b4eec24326e487da5bd
Author: Fraser Tweedale <ftweedal>
Date: Thu Jun 15 12:38:26 2017 +1000
Fix regression in pkcs12 key bag creation
Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12
file handing to never deal with raw private key material.
PKCS12Util.addKeyBag() was changed to export the PrivateKey handle,
or fail. This change missed this case where a PKCS #12 file is
loaded from file, possibly modified, then written back to a file,
without involving an NSSDB. One example is pkcs12-cert-del which
deletes a certificate and associated key from a PKCS #12 file.
Fix the PKCS12Util.addKeyBag() method to use the stored
EncryptedPricateKeyInfo if available, otherwise export the
PrivateKey handle.
Fixes: https://pagure.io/dogtagpki/issue/2741
Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
(cherry picked from commit a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de)
[root@nightcrawler ~]# rpm -qi pki-ca Name : pki-ca Version : 10.4.1 Release : 10.el7 Architecture: noarch Install Date: Fri 23 Jun 2017 02:53:39 PM EDT Group : System Environment/Daemons Size : 2308399 License : GPLv2 Signature : RSA/SHA256, Tue 20 Jun 2017 09:41:59 PM EDT, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.4.1-10.el7.src.rpm Build Date : Tue 20 Jun 2017 01:23:22 AM EDT Build Host : ppc-046.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority [root@nightcrawler ~]# pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 5 entries found --------------- Certificate ID: abc0ba923b8775f146aacfa48da6db760fea3be7 Serial Number: 0x2 Nickname: ocspSigningCert cert-pki-rootca CA Subject DN: CN=CA OCSP Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Trust Flags: u,u,u Has Key: true Certificate ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a Serial Number: 0x1 Nickname: caSigningCert cert-pki-rootca CA Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Trust Flags: CTu,Cu,Cu Has Key: true Certificate ID: efcbe0603aaea6242d9c22cfd72b0c0fb8fa0931 Serial Number: 0x4 Nickname: subsystemCert cert-pki-rootca Subject DN: CN=Subsystem Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Trust Flags: u,u,u Has Key: true Certificate ID: 8059c2f1482305c2874866b6d994eb81157ecd2 Serial Number: 0x3 Nickname: Server-Cert cert-pki-rootca Subject DN: CN=kvm-02-guest13.rhts.eng.bos.redhat.com,OU=pki-rootca,O=pki-rootca-sec-domain Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Trust Flags: u,u,u Has Key: true Certificate ID: 17414509c7f1cb2f1c5cab21d39fd848eb08cdda Serial Number: 0x5 Nickname: auditSigningCert cert-pki-rootca CA Subject DN: CN=CA Audit Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Issuer DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Trust Flags: u,u,Pu Has Key: true [root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 5 entries found --------------- Key ID: abc0ba923b8775f146aacfa48da6db760fea3be7 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Key ID: efcbe0603aaea6242d9c22cfd72b0c0fb8fa0931 Subject DN: CN=Subsystem Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Key ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Key ID: 8059c2f1482305c2874866b6d994eb81157ecd2 Subject DN: CN=kvm-02-guest13.rhts.eng.bos.redhat.com,OU=pki-rootca,O=pki-rootca-sec-domain Key ID: 17414509c7f1cb2f1c5cab21d39fd848eb08cdda Subject DN: CN=CA Audit Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain [root@nightcrawler ~]# pki pkcs12-cert-del "Server-Cert cert-pki-rootca" --pkcs12-file ca.p12 --pkcs12-password-file password.txt ------------------------------------------------- Deleted certificate "Server-Cert cert-pki-rootca" ------------------------------------------------- [root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 4 entries found --------------- Key ID: abc0ba923b8775f146aacfa48da6db760fea3be7 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Key ID: efcbe0603aaea6242d9c22cfd72b0c0fb8fa0931 Subject DN: CN=Subsystem Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Key ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Key ID: 17414509c7f1cb2f1c5cab21d39fd848eb08cdda Subject DN: CN=CA Audit Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain [root@nightcrawler ~]# pki pkcs12-cert-del "subsystemCert cert-pki-rootca" --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------------------------------------------- Deleted certificate "subsystemCert cert-pki-rootca" --------------------------------------------------- [root@nightcrawler ~]# pki pkcs12-cert-del "auditSigningCert cert-pki-rootca CA" --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------------------------------------------------- Deleted certificate "auditSigningCert cert-pki-rootca CA" --------------------------------------------------------- [root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 2 entries found --------------- Key ID: abc0ba923b8775f146aacfa48da6db760fea3be7 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Key ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain [root@nightcrawler ~]# pki pkcs12-cert-del "ocspSigningCert cert-pki-rootca CA" --pkcs12-file ca.p12 --pkcs12-password-file password.txt -------------------------------------------------------- Deleted certificate "ocspSigningCert cert-pki-rootca CA" -------------------------------------------------------- [root@nightcrawler ~]# pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 1 entries found --------------- Key ID: d9b0e491f6e86818c64eb39b4a74ed8de8318b9a Subject DN: CN=CA Signing Certificate,OU=pki-rootca,O=pki-rootca-sec-domain Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |