Bug 1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z]
Summary: Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
: 1418693 (view as bug list)
Depends On: 1550739 1560225
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-13 08:56 UTC by Oneata Mircea Teodor
Modified: 2018-06-26 16:48 UTC (History)
6 users (show)

Fixed In Version: pki-core-10.5.1-11.el7
Doc Type: Bug Fix
Doc Text:
Previously, Certificate System used the same enrollment profiles for issuing RSA and ECC certificates. As a consequence, the key usage extension in issued certificates did not meet the Common Criteria standard. This update adds ECC-specific enrollment profiles where the key usage extension for TLS server and client certificates are different as described in RFC 6960. Additionally, the update changes existing profiles to issue only RSA certificates. As a result, the key usage extension in ECC certificates now meets the Common Criteria standard.
Clone Of: 1550739
Environment:
Last Closed: 2018-06-26 16:47:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1979 None None None 2018-06-26 16:48:27 UTC

Description Oneata Mircea Teodor 2018-03-13 08:56:57 UTC
This bug has been copied from bug #1550739 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Christina Fu 2018-03-13 23:49:15 UTC
cherry picked from commit 27cf99efe1e52249f226db24ef28b0990a654dd5

doc text was copied from: https://bugzilla.redhat.com/show_bug.cgi?id=1550739

Comment 4 Matthew Harmsen 2018-04-05 22:25:10 UTC
commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu@redhat.com>
Date:   Thu Mar 29 09:59:02 2018 -0700

    quick fix on wrong keyType in profile
    
    Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
    (cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)

Comment 5 Matthew Harmsen 2018-04-05 22:34:17 UTC
commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu@redhat.com>
Date:   Thu Mar 29 09:59:02 2018 -0700

    quick fix on wrong keyType in profile
    
    Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
    (cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)

Comment 6 Matthew Harmsen 2018-04-05 22:34:53 UTC
commit 7b5a899e3d237e2be3bc1c7d9e4dd7613cdd9f24
Author: Christina Fu <cfu@redhat.com>
Date:   Thu Mar 29 09:59:02 2018 -0700

    quick fix on wrong keyType in profile
    
    Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
    (cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)
    (cherry picked from commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620)

Comment 8 Christina Fu 2018-04-11 16:18:21 UTC
that sounds fine. thanks.

Comment 9 Amol K 2018-04-26 16:28:35 UTC
I tested this BZ with pki 10.5.1-11.el7 version.

It working as expected.

Verifying this bug.

Comment 10 Christina Fu 2018-06-20 18:53:10 UTC
*** Bug 1418693 has been marked as a duplicate of this bug. ***

Comment 12 Matthew Harmsen 2018-06-26 01:13:03 UTC
Testing procedure:

* For installation, courtesy of Matt:
http://pki.fedoraproject.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround

* For other profiles, just make sure the new or changed profiles are exercised.  For example, for the CMC profiles (new or changed), just put that into the HttpClient config file under servlet.

Comment 13 errata-xmlrpc 2018-06-26 16:47:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979


Note You need to log in before you can comment on or make changes to this bug.