1553068 – Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z]

Summary: Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:	1538311
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-08 08:39 UTC by Oneata Mircea Teodor
Modified:	2018-08-16 14:20 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pki-core-10.5.1-14.el7_5
Doc Type:	Bug Fix
Doc Text:	Previously, Certificate System insufficiently validated values set in iPAddressName fields. If an invalid value was set, the server incorrectly issued certificates that contained this value. With this update, Certificate System validates iPAddressName values in profile configurations according to the context, such as Subject Alternative Name (SAN) or name constraints extensions. As a result, the server no longer issues certificates with invalid iPAddressName values.
Clone Of:	1538311
Environment:
Last Closed:	2018-08-16 14:20:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
caServerCert profile config (7.32 KB, text/plain) 2018-04-26 06:21 UTC, Sumedh Sidhaye	no flags	Details
CA debug log (27.28 KB, text/plain) 2018-04-26 06:24 UTC, Sumedh Sidhaye	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:2306	0	None	None	None	2018-08-16 14:20:37 UTC

Description Oneata Mircea Teodor 2018-03-08 08:39:03 UTC

This bug has been copied from bug #1538311 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Fraser Tweedale 2018-03-09 05:27:34 UTC

Pushed to `DOGTAG_10_5_BRANCH`:

* f14d46f0a IPAddressName: refactoring
* 180b76c98 Check validity of Subject/Issuer Alt Names and Name Constraints                  
* 487097a4d GeneralNameInterface: methods for checking name validity                         
* 58658a75a parseGeneralName: properly parse iPAddress GN with netmask                       
* fca1cbda2 IPAddressName: remove unused getLength method

Comment 4 Fraser Tweedale 2018-03-29 10:37:43 UTC

Verification procedure:

Configure a profile with the following snippet (change the index / prefixes as
appropriate):

policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.13.constraint.name=No Constraint
policyset.serverCertSet.13.default.class_id=nameConstraintsExtDefaultImpl
policyset.serverCertSet.13.default.name=Name Constraints Extension Default
policyset.serverCertSet.13.default.params.nameConstraintsCritical=true
policyset.serverCertSet.13.default.params.nameConstraintsNumPermittedSubtrees=0
policyset.serverCertSet.13.default.params.nameConstraintsNumExcludedSubtrees=4
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeEnable_0=true
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMaxValue_0=
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMinValue_0=
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameChoice_0=IPAddress
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameValue_0=10.10.10.10/24
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeEnable_1=true
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMaxValue_1=
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMinValue_1=
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameChoice_1=IPAddress
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameValue_1=10.10.10.10,255.255.255.0
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeEnable_2=true
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMaxValue_2=
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMinValue_2=
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameChoice_2=IPAddress
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameValue_2=dead:beef::1/128
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeEnable_3=true
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMaxValue_3=
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeMinValue_3=
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameChoice_3=IPAddress
policyset.serverCertSet.13.default.params.nameConstraintsExcludedSubtreeNameValue_3=dead:beef::,ffff:ffff::

Make sure the index (`13' in the snippet above) is referenced in the policy set `list'
config, e.g.:

policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12,13

Now, when a certificate is issued using that profile, issuance should succeed.
The configured values should appear in the Name Constraints extension.

Then modify the profile, making one of these a plain IP address (no netmask, e.g. "10.10.10.10").
Issuance should fail (because netmask is required for Name Constraints extension).

Similarly, configure a SubjectAltNameExtDefault configuration with IPAddress names.
Only this time, ensure that plain IP address values (IPv4 or IPv6) are ACCEPTED,
and values with netmask are REJECTED (netmask is prohibited in the Subject Alt Name
extension).

Hope this assists in verifying the ticket!

Comment 6 Fraser Tweedale 2018-04-10 05:02:48 UTC

add doc text

Comment 9 Sumedh Sidhaye 2018-04-26 05:51:37 UTC

Build used for verification:

root@csqa4-guest01 ~ # rpm -qi pki-server
Name        : pki-server
Version     : 10.5.1
Release     : 11.el7
Architecture: noarch
Install Date: Wednesday 18 April 2018 01:47:36 AM EDT
Group       : System Environment/Base
Size        : 4839482
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.5.1-11.el7.src.rpm
Build Date  : Monday 09 April 2018 09:01:11 PM EDT
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Server Framework
Description :


After making modifications to profile mentioned in comment #4,
certificate request succeeds but approval fails.

I am attaching the profile configuration and CA debug log for reference.

Hence marking bugzilla failedQA.

Comment 10 Sumedh Sidhaye 2018-04-26 06:21:54 UTC

Created attachment 1426995 [details]
caServerCert profile config

caServerCert profile config

Comment 11 Sumedh Sidhaye 2018-04-26 06:24:41 UTC

Created attachment 1426996 [details]
CA debug log

CA debug log

Comment 12 Fraser Tweedale 2018-04-27 05:21:48 UTC

I've got a reproducer.  It looks like a pre-existing issue but I'll try
and get a fix done soon because it's blocking QA.

Comment 16 Fraser Tweedale 2018-05-29 06:27:50 UTC

Gerrit review to fix more issues uncovered during QE:
https://review.gerrithub.io/#/c/dogtagpki/pki/+/412715.

Comment 20 Fraser Tweedale 2018-06-07 03:59:10 UTC

More commits, to fix issues discovered during QE, have been pushed
to upstream DOGTAG_10_5_BRANCH:

- a796f490b4c8aeea228195dacc3843cabe56b3ac IPAddressName: fix toString method                          
- adb1810ddbeb30014b9ad192118bbf7ee1efd595 Handle empty NameConstraints subtrees when reading extension

Moving to POST.

Comment 26 Fraser Tweedale 2018-06-14 14:49:26 UTC

New gerrit reviews for fix:

- master: https://review.gerrithub.io/c/dogtagpki/pki/+/415271
- DOGTAG_10_5_BRANCH: https://review.gerrithub.io/c/dogtagpki/pki/+/415273

Comment 29 Fraser Tweedale 2018-06-26 00:42:14 UTC

New upstream commit on DOGTAG_10_5_BRANCH:

* a85486cfc (origin/DOGTAG_10_5_BRANCH) IPAddressName: fix construction from String

Moving to POST.

Comment 31 Sumedh Sidhaye 2018-07-19 05:21:03 UTC

Build used for verification:

[root@wolverine ~]# pki --version
PKI Command-Line Interface 10.5.1-14.el7_5


Followed steps mentioned in: https://bugzilla.redhat.com/show_bug.cgi?id=1553068#c4


Now, when a certificate is issued using that profile, issuance should succeed.
The configured values should appear in the Name Constraints extension.

Then modify the profile, making one of these a plain IP address (no netmask, e.g. "10.10.10.10").
Issuance should fail (because netmask is required for Name Constraints extension).

Similarly, configure a SubjectAltNameExtDefault configuration with IPAddress names.
Only this time, ensure that plain IP address values (IPv4 or IPv6) are ACCEPTED,
and values with netmask are REJECTED (netmask is prohibited in the Subject Alt Name
extension).

Hope this assists in verifying the ticket!

After adding the Name Constraints issuance succeeds and the configured values appear in the Name Constraints Extension:

[root@wolverine ~]# pki cert-show 0xd --pretty
-----------------
Certificate "0xd"
-----------------
  Serial Number: 0xd
  Subject DN: CN=localhost2.com
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Status: VALID
  Not Valid Before: Thu Jul 19 00:18:22 EDT 2018
  Not Valid After: Wed Jul 17 00:18:22 EDT 2024

    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0xD
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain
            Validity: 
                Not Before: Thursday, July 19, 2018 12:18:22 AM EDT America/New_York
                Not  After: Wednesday, July 17, 2024 12:18:22 AM EDT America/New_York
            Subject: CN=localhost2.com
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
                    Public Key Modulus: (1024 bits) :
                        B5:EF:B2:81:9A:EF:63:2E:28:62:21:0E:72:A1:EA:B3:
                        85:70:0D:DD:6E:2B:00:B7:A1:05:8A:41:86:91:E7:56:
                        0F:81:D5:49:07:7C:1B:F7:0C:47:EF:45:F9:AF:10:EF:
                        96:AB:E7:67:2F:7E:76:9F:58:D8:7D:C4:52:F5:0E:BC:
                        BC:18:E4:FF:07:4E:D2:06:8B:67:BC:97:D8:F4:7A:1B:
                        55:2B:DC:F8:6C:BB:9D:C8:6F:61:0D:D6:DB:7E:FF:A4:
                        69:4F:9D:00:1B:24:29:6F:90:13:F2:3C:61:53:BF:56:
                        84:45:B7:57:D6:D5:59:F6:B1:1D:C1:33:E4:17:82:8B
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        4D:BE:72:BC:29:38:86:44:71:AD:3E:04:C2:C1:5F:F1:
                        5B:08:CF:3D
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        3A:30:98:F3:E6:33:F8:88:69:DA:9E:9A:AA:B9:25:51:
                        9E:6B:09:45
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Key CertSign 
                        Crl Sign 
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no 
                    Extended Key Usage: 
                        1.3.6.1.5.5.7.3.1
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: 0
                Identifier: Name Constraints - 2.5.29.30
                    Critical: yes 
                    GeneralSubtrees: 
                      Permitted:                            
                        GeneralSubtree: [
                          GeneralName: IPAddress: 10.10.10.10,255.255.255.0
                          Minimum: 0
                          Maximum: undefined]


                      Excluded:                            
                        GeneralSubtree: [
                          GeneralName: IPAddress: dead:beef:0:0:0:0:0:1,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
                          Minimum: 0
                          Maximum: undefined]

                            
                        GeneralSubtree: [
                          GeneralName: IPAddress: 10.10.10.10,255.255.255.0
                          Minimum: 0
                          Maximum: undefined]

                            
                        GeneralSubtree: [
                          GeneralName: IPAddress: dead:beef:0:0:0:0:0:0,ffff:ffff:0:0:0:0:0:0
                          Minimum: 0
                          Maximum: undefined]


                Identifier: CRL Distribution Points - 2.5.29.31
                    Critical: no 
                    Number of Points: 1
                    Point 0
                        Distribution Point: [URIName: http://localhost.crl]
        Signature: 
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature: 
                96:E6:BB:F0:A3:35:D1:E7:03:2E:43:E2:5F:D6:2A:85:
                AA:15:82:90:39:96:AD:B4:33:66:EB:5C:37:11:AE:2D:
                35:12:C2:87:07:9D:D2:81:75:BA:1F:49:8D:93:4C:C4:
                E9:3D:9A:E9:3A:C5:A0:B4:88:83:CB:AA:BE:D6:C5:38:
                33:B9:91:26:47:62:10:52:8D:93:E2:E0:CB:50:8A:D3:
                0D:E0:C9:70:69:A5:5C:8B:8D:18:FB:F9:55:1B:88:0F:
                9A:E8:05:15:54:F1:BD:D7:AE:49:A9:E1:89:3B:A2:66:
                6E:3D:00:36:56:D4:22:7B:54:40:7A:F9:80:A1:DB:9D:
                C1:6B:E6:80:71:3E:0D:B4:91:76:D9:FA:94:C8:AD:B4:
                0B:50:99:CF:F1:CF:8F:6E:DB:31:B6:04:7C:AC:A0:9C:
                AC:81:6D:FE:13:4F:71:FB:F9:2C:4C:59:37:9C:28:DA:
                A3:76:0A:2E:F8:55:DE:6C:9C:56:D4:94:EB:80:1F:CD:
                BE:B3:04:F8:16:A9:A0:DF:40:A5:15:57:D1:E8:6A:34:
                E1:56:AE:7A:DA:F7:52:BB:C6:3C:54:15:3C:C9:BE:24:
                46:6F:E7:83:08:60:C1:A3:B5:8F:E9:E3:9C:39:77:7A:
                46:38:CF:89:22:02:5E:66:93:9A:8C:72:44:70:83:BF
        FingerPrint
            MD2:
                30:34:1B:E2:D5:3D:C0:94:8C:72:14:09:4E:06:ED:C7
            MD5:
                2D:BB:A9:6F:8A:32:6F:55:40:86:58:E6:3D:EC:A9:E0
            SHA-1:
                6B:8F:C3:D7:A3:91:CD:58:35:FB:12:91:84:23:BE:2B:
                84:15:E3:C9
            SHA-256:
                44:B2:1A:A9:3B:C8:A3:87:C6:2A:E3:28:AB:CF:AD:7E:
                5D:F8:8F:2B:09:18:54:BF:7D:81:E6:26:36:4E:1F:26
            SHA-512:
                0B:05:1E:25:52:65:D1:8C:4D:AC:96:04:76:2D:BE:CF:
                2A:50:10:97:12:9A:E4:6E:08:2A:0D:37:11:62:34:E6:
                A5:E1:F9:13:7C:FB:66:C5:AB:4E:A7:24:61:F5:0A:1A:
                56:05:65:DF:09:30:AB:FD:CE:7B:B1:B9:0E:F1:E6:9D

[root@wolverine ~]# 



and after Subject Alt Name extension, 
issuance succeeds when using IPV4 / IPV6 and the configured values appear in the extension.


[root@wolverine ~]# pki cert-show 0x10 --pretty
------------------
Certificate "0x10"
------------------
  Serial Number: 0x10
  Subject DN: CN=localhost8.com
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain
  Status: VALID
  Not Valid Before: Thu Jul 19 00:39:05 EDT 2018
  Not Valid After: Wed Jul 17 00:39:05 EDT 2024

    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x10
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain
            Validity: 
                Not Before: Thursday, July 19, 2018 12:39:05 AM EDT America/New_York
                Not  After: Wednesday, July 17, 2024 12:39:05 AM EDT America/New_York
            Subject: CN=localhost8.com
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
                    Public Key Modulus: (1024 bits) :
                        B9:6B:7B:68:D5:9B:05:77:3F:C0:D1:B5:44:37:34:28:
                        F7:24:C7:3A:D3:F0:11:28:F9:5C:38:E7:40:72:62:78:
                        36:3A:28:91:78:CE:6E:3C:45:C0:B9:BB:22:61:53:20:
                        AE:F3:A7:AC:7D:8B:1E:CD:9D:5E:7A:D8:F3:BD:6F:02:
                        E9:2B:47:9A:09:DB:E9:6B:4C:6A:29:75:9A:BE:CC:B9:
                        8B:F6:F1:84:16:CC:AA:9F:17:83:D7:E0:D2:F1:89:E9:
                        7B:34:D6:A5:D0:E3:26:6C:32:79:6E:18:7F:4C:86:3D:
                        44:E0:B3:5D:F3:49:1F:47:9A:C6:FE:7C:AA:86:95:F7
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        4D:BE:72:BC:29:38:86:44:71:AD:3E:04:C2:C1:5F:F1:
                        5B:08:CF:3D
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        3F:C4:45:A5:F6:D4:C3:22:FE:43:9E:5B:BF:97:5A:59:
                        9F:B5:DC:96
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Key CertSign 
                        Crl Sign 
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no 
                    Extended Key Usage: 
                        1.3.6.1.5.5.7.3.1
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: 0
                Identifier: Name Constraints - 2.5.29.30
                    Critical: yes 
                    GeneralSubtrees: 
                      Permitted:                            
                        GeneralSubtree: [
                          GeneralName: IPAddress: 10.10.10.10,255.255.255.0
                          Minimum: 0
                          Maximum: undefined]


                      Excluded:                            
                        GeneralSubtree: [
                          GeneralName: IPAddress: dead:beef:0:0:0:0:0:1,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
                          Minimum: 0
                          Maximum: undefined]

                            
                        GeneralSubtree: [
                          GeneralName: IPAddress: 10.10.10.10,255.255.255.0
                          Minimum: 0
                          Maximum: undefined]

                            
                        GeneralSubtree: [
                          GeneralName: IPAddress: dead:beef:0:0:0:0:0:0,ffff:ffff:0:0:0:0:0:0
                          Minimum: 0
                          Maximum: undefined]


                Identifier: CRL Distribution Points - 2.5.29.31
                    Critical: no 
                    Number of Points: 1
                    Point 0
                        Distribution Point: [URIName: http://localhost.crl]
                Identifier: Subject Alternative Name - 2.5.29.17
                    Critical: yes 
                    Value: 
                        IPAddress: dead:beef:0:0:0:0:0:0
        Signature: 
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature: 
                31:C7:26:12:47:04:28:FC:86:08:EF:65:11:A2:9C:25:
                95:C4:DF:65:B7:63:58:05:B5:C2:17:25:6D:6C:15:1C:
                A8:0C:70:1A:5D:3A:BC:3B:67:38:74:37:48:12:87:A5:
                FE:8B:7B:9D:6D:98:1D:E4:69:C3:83:B0:70:5E:10:7C:
                EE:AD:47:14:C4:70:46:E8:F1:9E:AD:D5:13:68:F3:92:
                B4:5C:5D:EE:B2:36:BC:06:14:3C:80:3E:D6:86:0B:25:
                1C:7D:B3:DE:75:12:23:D2:F1:D8:68:31:34:30:66:5E:
                42:42:4C:9D:CC:E7:36:7F:37:4A:61:2C:0E:37:5C:16:
                48:F0:5A:22:7D:CD:E8:7D:CF:51:5F:7A:64:FB:75:04:
                10:49:93:F6:1B:25:91:50:AE:9A:9A:BE:DB:C7:CA:B5:
                5D:39:49:69:05:9A:10:D8:C2:B6:8D:F8:4A:BF:58:8C:
                75:42:25:49:6F:D6:77:60:6D:BA:E0:A9:C3:F8:10:55:
                DF:76:80:29:78:1F:D0:0B:3D:7F:83:6A:B3:EA:4B:CE:
                3B:70:0D:21:04:60:F5:32:99:02:70:AF:51:1C:7E:25:
                00:49:15:D1:45:BD:4A:24:53:9F:41:C3:DC:C0:58:DC:
                40:45:5B:31:D8:D8:E1:BB:F9:A1:50:3B:5D:6D:3E:D9
        FingerPrint
            MD2:
                3D:2C:CD:26:0C:31:16:44:A6:0F:DB:29:A7:86:9F:BB
            MD5:
                38:1C:F9:DD:4F:2C:C5:BC:CD:11:8B:1A:66:50:F7:C7
            SHA-1:
                1E:2D:22:72:87:3E:4C:9C:57:6B:75:FD:27:7C:08:C4:
                D8:D9:D3:C2
            SHA-256:
                60:78:78:D0:9E:59:9F:D0:A8:8E:2F:48:21:0F:33:40:
                D1:BB:F7:EF:5F:91:E9:00:EC:87:41:9F:46:29:FB:2D
            SHA-512:
                5F:5D:0D:52:BA:CA:27:7D:7F:67:E0:B7:0F:4E:12:74:
                8B:BA:C1:DB:41:C9:04:12:30:15:29:B9:63:96:26:A6:
                A9:87:0D:D6:3A:D1:11:9F:87:BD:85:9E:01:E0:11:59:
                AA:6E:07:77:64:5E:C5:38:D7:B8:81:A2:C7:99:37:EC


If a netmask is used issuance fails.


[root@wolverine ~]# pki -d /tmp/nssdb -c SECret.123 client-cert-request CN=localhost6.com --profile caServerCert
PKIException: Not valid for Subject Alternative Name: IPAddress:10.10.10.10,255.255.255.0

[root@wolverine ~]# pki -d /tmp/nssdb -c SECret.123 client-cert-request CN=localhost7.com --profile caServerCert
PKIException: Not valid for Subject Alternative Name: IPAddress:dead:beef::1/128


Fraser, I just need a confirmation whether a value "dead:beef::1/128" should be accepted in Subject Alternative Name extension.

Rest looks good.

Comment 32 Fraser Tweedale 2018-07-20 00:30:36 UTC

Sumedh, thanks for the info.

dead:beef::1/128 specifies IP address with CIDR netmask (/128),
so this value should be _rejected_ for SAN and _accepted_ for
Name Constraints.

So the behaviour detailed above seems correct to me.

HTH,
Fraser

Comment 33 Sumedh Sidhaye 2018-07-21 18:48:26 UTC

As per verification in #c31, marking the bugzilla verified.

Comment 35 errata-xmlrpc 2018-08-16 14:20:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2306

Note You need to log in before you can comment on or make changes to this bug.