Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z]
Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.6
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Christina Fu
Asha Akkiangady
Marc Muehlfeld
: TestCaseProvided, ZStream
: 1418693 (view as bug list)
Depends On: 1550739 1560225
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-13 04:56 EDT by Oneata Mircea Teodor
Modified: 2018-06-26 12:48 EDT (History)
6 users (show)

See Also:
Fixed In Version: pki-core-10.5.1-11.el7
Doc Type: Bug Fix
Doc Text:
Previously, Certificate System used the same enrollment profiles for issuing RSA and ECC certificates. As a consequence, the key usage extension in issued certificates did not meet the Common Criteria standard. This update adds ECC-specific enrollment profiles where the key usage extension for TLS server and client certificates are different as described in RFC 6960. Additionally, the update changes existing profiles to issue only RSA certificates. As a result, the key usage extension in ECC certificates now meets the Common Criteria standard.
Story Points: ---
Clone Of: 1550739
Environment:
Last Closed: 2018-06-26 12:47:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1979 None None None 2018-06-26 12:48 EDT

  None (edit)
Description Oneata Mircea Teodor 2018-03-13 04:56:57 EDT 
This bug has been copied from bug #1550739 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 2 Christina Fu 2018-03-13 19:49:15 EDT 
cherry picked from commit 27cf99efe1e52249f226db24ef28b0990a654dd5

doc text was copied from: https://bugzilla.redhat.com/show_bug.cgi?id=1550739
Comment 4 Matthew Harmsen 2018-04-05 18:25:10 EDT 
commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu@redhat.com>
Date:   Thu Mar 29 09:59:02 2018 -0700

    quick fix on wrong keyType in profile
    
    Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
    (cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)
Comment 5 Matthew Harmsen 2018-04-05 18:34:17 EDT 
commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu@redhat.com>
Date:   Thu Mar 29 09:59:02 2018 -0700

    quick fix on wrong keyType in profile
    
    Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
    (cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)
Comment 6 Matthew Harmsen 2018-04-05 18:34:53 EDT 
commit 7b5a899e3d237e2be3bc1c7d9e4dd7613cdd9f24
Author: Christina Fu <cfu@redhat.com>
Date:   Thu Mar 29 09:59:02 2018 -0700

    quick fix on wrong keyType in profile
    
    Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
    (cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)
    (cherry picked from commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620)
Comment 8 Christina Fu 2018-04-11 12:18:21 EDT 
that sounds fine. thanks.
Comment 9 Amol K 2018-04-26 12:28:35 EDT 
I tested this BZ with pki 10.5.1-11.el7 version.

It working as expected.

Verifying this bug.
Comment 10 Christina Fu 2018-06-20 14:53:10 EDT 
*** Bug 1418693 has been marked as a duplicate of this bug. ***
Comment 12 Matthew Harmsen 2018-06-25 21:13:03 EDT 
Testing procedure:

* For installation, courtesy of Matt:
http://pki.fedoraproject.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround

* For other profiles, just make sure the new or changed profiles are exercised.  For example, for the CMC profiles (new or changed), just put that into the HttpClient config file under servlet.
Comment 13 errata-xmlrpc 2018-06-26 12:47:58 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.