Bug 1572057 - pkI pkcs12 cli import export issues.
Summary: pkI pkcs12 cli import export issues.
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-26 05:43 UTC by Amol K
Modified: 2020-10-04 21:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-15 18:06:40 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure dogtagpki issue 3131 0 None None None 2020-03-15 18:06:39 UTC
Github dogtagpki pki issues 3248 0 None None None 2020-10-04 21:46:32 UTC

Description Amol K 2018-04-26 05:43:26 UTC
Description of problem:
pki pkcs12 cli import and export issues. 


Version-Release number of selected component (if applicable):
10.5.1-11.el7

How reproducible:
Always

Steps to Reproduce:
1. pki pkcs12-export with --no-chain is exporting chain.
```
root@pki1 # pki -d /opt/pki/certdb/ -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 --no-chain 
---------------
Export complete
---------------

root@pki1 # pki pkcs12-cert-find --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 
---------------
2 entries found
---------------
  Certificate ID: ad448d4a22ef1ea7ba074701a116bda6d34ef79f
  Serial Number: 0x6
  Nickname: PKI CA Administrator for Example.Org
  Subject DN: CN=PKI Administrator,E=caadmin@example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: bb7f1fff70ac0648925bc1c12caf013e6f8b100a
  Serial Number: 0x1
  Nickname: CA
  Subject DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Trust Flags: CT,C,C
  Has Key: false
```

Here CA certificate is not expected.

2. If we import the above /tmp/all_certs.p12 file in to the database it will show no trusts to the CA certificate.

```
root@pki1 # certutil -L -d /tmp/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI CA Administrator for Example.Org                         u,u,u
CA   
```

3. pkcs12-export with --no-key export keys to p12 file. 
```
root@pki1 # pki -d /opt/pki/certdb -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 --no-key "PKI CA Administrator for Example.Org"
---------------
Export complete
---------------

root@pki1 # pki -d /tmp/nssdb -c Secret123 client-init --force                                                             
------------------
Client initialized
------------------

root@pki1 # pki -d /tmp/nssdb -c Secret123 client-cert-import --pkcs12 /tmp/all_cert.p12 --pkcs12-password Secret123                                                      
----------------------------------------
Imported certificates from PKCS #12 file
----------------------------------------

root@pki1 # certutil -L -d /tmp/nssdb 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI CA Administrator for Example.Org                         u,u,u
CA                                                           ,,   
```

It is exporting keys in p12 file.

4. It shows success message for invalid certs. 

```
pki -d /opt/pki/certdb -c Secret123 pkcs12-export --pkcs12-file /tmp/all_certs.p12 --pkcs12-password Secret123 "DJFLSDJFLSDKJFLDSKJF"
---------------
Export complete
---------------
```


Actual results:
1. It exports CA certificate with --no-chain option.
2. It does not import the trust flags as per the pkcs12 file.
3. It exports private key with --no-key option.
4. It shows export complete message for invalid certificate nick.
 

Expected results:
1. It should not export CA certificate with --no-chain opiton.
2. It should import trust flags as per the pkcs12 file.
3. It should not export private key with --no-key option.
4. It should throw an error for invalid certificate nick.


Additional info:

Comment 2 Matthew Harmsen 2018-07-04 00:39:28 UTC
Moved to RHEL 7.7.


Note You need to log in before you can comment on or make changes to this bug.