Bug 1499054 – CA cert without Subject Key Identifier causes issuance failure

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1499054 - CA cert without Subject Key Identifier causes issuance failure

Summary:	CA cert without Subject Key Identifier causes issuance failure

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	All Linux

Priority	urgent Severity urgent
Target Milestone:	rc
Target Release:	---
Assigned To:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld

URL:
Whiteboard:
Keywords:	Regression, ZStream

Depends On:
Blocks:	1502527
	Show dependency tree / graph

Reported:	2017-10-05 20:07 EDT by Fraser Tweedale
Modified:	2018-04-10 13:02 EDT (History)
CC List:	10 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	CA certificates without SKI extension no longer causes issuance failures A previous update of Certificate System incorrectly removed a fallback procedure, which generated the Issuer Key Identifier. Consequently, the Certificate Authority (CA) failed to issue certificates if the CA signing certificate does not have the Subject Key Identifier (SKI) extension set. With this update, the missing procedure has been added again. As a result, issuing certificates no longer fails if the CA signing certificate does not contain the SKI extension.
Story Points:	---
Clone Of:
Clones:	1502527 (view as bug list)
Environment:
Last Closed:	2018-04-10 13:01:25 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Installation failure log file. (34.34 KB, text/plain) 2017-11-15 03:45 EST, Amol K	no flags	Details
Certs in pki-tomcat directory (2.84 KB, application/octet-stream) 2017-11-15 03:46 EST, Amol K	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0925	None	None	None	2018-04-10 13:02 EDT

Groups: None (edit)

Description Fraser Tweedale 2017-10-05 20:07:37 EDT

Description of problem:

If the CA signing cert does not have the Subject Key Identifier extension, issuance
of certificates fails. Although such a CA certificate is not compliant with RFC 5280,
this does happen in the wild, and we previously handled this case by computing the
SHA-1 digest of the signing key as a last resort. This behaviour was broken
in upstream commit 3c43b1119ca978c296a38a9fe404e1c0cdcdab63.

Version-Release number of selected component (if applicable):

The regression was introduced in pki-core-10.4.1-5 (pki-core-snapshot-1.patch)


How reproducible: always


Steps to Reproduce:
1. install PKI with externally signed CA cert.
2. try and sign a certificate with a profile that uses AuthorityKeyIdentifierExtDefault

Actual results:

Issuance fails with error ``Could not instantiate AuthorityKeyIdentifier extension''


Expected results: Issuance succeeds.


Additional info:

Comment 2 Fraser Tweedale 2017-10-06 01:52:06 EDT

How to test:

- Install externally-signed CA with a missing Subject Key ID extension
- Attempt to issue a cert using any profile that uses the `AuthorityKeyIdentifierExtDefault` profile component (which should be most/all of em!)
- if issuance succeeds, fix is verified.


Upstream Gerrit review: https://review.gerrithub.io/#/c/381619/

Comment 4 Fraser Tweedale 2017-10-15 19:30:21 EDT

Fixed upstream: 8ec0cbd1bef372ed50e19f6c5b6332b75209beb0.

Comment 14 Amol K 2017-11-15 03:43:24 EST

Hi Fraser,

I'm trying to verify this bug, for the verification of the bug I followed [1] documentation. 

But while installing I'm getting certificate validation error (I attached log file).

What I observe that it add the certificate in /var/lib/pki/pki-tomcat/alias and it have SKI extension (Which verifies the Bugzilla) (attached p12 file) but it is failed to validate the certificate.

Am I following the correct steps to verify this bug?

pki-version : 10.4.1-16.el7_4


[1]http://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate

Comment 15 Amol K 2017-11-15 03:45 EST

Created attachment 1352443 [details]
Installation failure log file.

Comment 16 Amol K 2017-11-15 03:46 EST

Created attachment 1352444 [details]
Certs in pki-tomcat directory

Comment 17 Amol K 2017-11-15 05:35:08 EST

Hi Fraser,

(In reply to Amol K from comment #14)
> Hi Fraser,
> 
> I'm trying to verify this bug, for the verification of the bug I followed
> [1] documentation. 
> 
> But while installing I'm getting certificate validation error (I attached
> log file).
> 
> What I observe that it add the certificate in /var/lib/pki/pki-tomcat/alias
> and it have SKI extension (Which verifies the Bugzilla) (attached p12 file)
> but it is failed to validate the certificate.
> 
> Am I following the correct steps to verify this bug?
> 
> pki-version : 10.4.1-16.el7_4
> 
> 
> [1]http://pki.fedoraproject.org/wiki/
> Installing_CA_with_External_CA_Signing_Certificate

When I was trying above steps I forget to provide the CA certificate/chain that's why this issue occurred.

After providing the CA certificate, installation is successful.

I'm able to see the SKI extension in Signing certificate.

```
     Name: Certificate Subject Key ID
     Data:
         54:72:85:a1:2d:3d:3f:f0:80:0b:4a:1b:6b:97:0b:e8:
         67:f0:6c:43
```

Verifying this bug.

pki-version : 10.4.1-16.el7_4

Comment 19 Amol K 2017-11-20 04:05:53 EST

I tested this bug on RHEL 7.5

I am able to see the SKI extension in Signing Certificate.

```
        Name: Certificate Subject Key ID
        Data:
            aa:43:c8:c1:e6:56:0e:0f:31:3d:69:30:03:cc:f8:d4:
            f0:49:a8:86
```

Verifying this bug.

pki-version : 10.5.1-1.el7

Comment 20 Geetika Kapoor 2017-12-18 05:22:45 EST

Hi Fraser,

Do you for above scenario, ipa external ca is a quick testing.

Use a Different CA to sign the IPA CA certificate
--(Here we can use any nssdb or another dogtag CA)to get certificate sign.

# ipa-server-install --external-ca
This will generate a CSR in /root/ipa.csr. This is the file you need to provide to your CA for signing. You will also need to obtain a PEM copy of your CA trust chain.

Once you have both of these you can continue the installer:

# ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/existing_ca.crt


If this case is passed we are good to go for this bugzilla automation/testing.

Thanks
Geetika

Comment 21 Fraser Tweedale 2018-01-02 23:59:25 EST

Geetika, I don't think we can automate this in a FreeIPA context because
FreeIPA adds some of its own sanity checks when installing/updating
the CA signing certificate.

The absolute simplest way to test this, in a way that will be
forward-compatible with sanity check we may eventually implement
in Dogtag, would be:

1. install Dogtag with external CA.  The signed certificate should have
   SKI extension.

2. re-issue the signing certificate *without* SKI extension

3. shut down Dogtag

4. install the new signing certificate in Dogtag's NSSDB

5. restart Dogtag.

6. check that signing still works, even though the signing certificate
   does not have SKI extension.

HTH,
Fraser

Comment 25 errata-xmlrpc 2018-04-10 13:01:25 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925

Note You need to log in before you can comment on or make changes to this bug.