Bug 1575725 - JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier
Summary: JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jss
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1547802 1579202
TreeView+ depends on / blocked
 
Reported: 2018-05-07 18:37 UTC by Christina Fu
Modified: 2018-10-30 11:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
See Doc Text field in BZ#1579202.
Clone Of:
: 1579202 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:00:36 UTC
Target Upstream Version:


Attachments (Terms of Use)
this patch makes sure no params are in the Algorithm ID in case of signature with ECDSA with various SHA* (2.63 KB, patch)
2018-05-16 17:24 UTC, Christina Fu
jmagne: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3188 None None None 2018-10-30 11:01:21 UTC

Description Christina Fu 2018-05-07 18:37:28 UTC
Investigation reveals that the issue described in the following bug occurred in JSS:


Bug 1547802 - ECDSA Certificates Generated by Certificate System 9.3 fail NIST validation test with parameter field

Comment 3 Christina Fu 2018-05-15 22:51:47 UTC
Test procedure:
Note, this could be tested with https://bugzilla.redhat.com/show_bug.cgi?id=1547802
No need to test it twice.

Se see the following for test procedure:
https://bugzilla.redhat.com/show_bug.cgi?id=1547802#c2

Comment 4 Christina Fu 2018-05-16 17:24:18 UTC
Created attachment 1437492 [details]
this patch makes sure no params are in the Algorithm ID in case of signature with ECDSA with various  SHA*

Comment 5 Jack Magne 2018-05-16 17:28:01 UTC
Comment on attachment 1437492 [details]
this patch makes sure no params are in the Algorithm ID in case of signature with ECDSA with various  SHA*

Looks good. We will have to keep an eye in the future if we need more algs added to this thing.

Comment 6 Christina Fu 2018-05-16 20:16:06 UTC
commit a8e371e54b009159e9e3a0d198bd5eb3ed68ac22 (HEAD -> master, origin/master, origin/HEAD, ticket-3-AlgId)
Author: Christina Fu <cfu@redhat.com>
Date:   Tue May 15 14:58:07 2018 -0700

    Ticket 3 JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier
    This ticket addresses the issue to meet RFC 5758 where param field must be omitted
    in the ECDSA Signature algorithm' AlgorithmIdentifier for
    ecdsa-withSHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512.
    
    fixes https://pagure.io/jss/issue/3

Comment 10 Amol K 2018-08-17 08:01:11 UTC
I tested this Bugzilla on version: 10.5.9-5.el7

Steps I followed:
- Setup ECC CA, KRA
- Create a CMC request and submit per CMC enrollment procedure
- I use the dumpasn1 tool on the response and check that 'OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)' block do not have NULL.
- For more verification, I copied enrolled b64 certificate and ran the dunpasn1 tool on that.
- It does not show the NULL in ecdsaWithSHA256 block.
```
 16  10: . . SEQUENCE {
    <06 08 2A 86 48 CE 3D 04 03 02>
 18   8: . . . OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
       : . . . . (ANSI X9.62 ECDSA algorithm with SHA256)
       : . . . }

```

Verifying this Bugzilla.

Comment 12 errata-xmlrpc 2018-10-30 11:00:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3188


Note You need to log in before you can comment on or make changes to this bug.