RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1575725 - JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier
Summary: JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jss
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1547802 1579202
TreeView+ depends on / blocked
 
Reported: 2018-05-07 18:37 UTC by Christina Fu
Modified: 2018-10-30 11:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
See Doc Text field in BZ#1579202.
Clone Of:
: 1579202 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:00:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
this patch makes sure no params are in the Algorithm ID in case of signature with ECDSA with various SHA* (2.63 KB, patch)
2018-05-16 17:24 UTC, Christina Fu 		jmagne: review+
Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3188 0 None None None 2018-10-30 11:01:21 UTC

Description Christina Fu 2018-05-07 18:37:28 UTC 
Investigation reveals that the issue described in the following bug occurred in JSS:


Bug 1547802 - ECDSA Certificates Generated by Certificate System 9.3 fail NIST validation test with parameter field
Comment 3 Christina Fu 2018-05-15 22:51:47 UTC 
Test procedure:
Note, this could be tested with https://bugzilla.redhat.com/show_bug.cgi?id=1547802
No need to test it twice.

Se see the following for test procedure:
https://bugzilla.redhat.com/show_bug.cgi?id=1547802#c2
Comment 4 Christina Fu 2018-05-16 17:24:18 UTC 
Created attachment 1437492 [details]
this patch makes sure no params are in the Algorithm ID in case of signature with ECDSA with various  SHA*
Comment 5 Jack Magne 2018-05-16 17:28:01 UTC 
Comment on attachment 1437492 [details]
this patch makes sure no params are in the Algorithm ID in case of signature with ECDSA with various  SHA*

Looks good. We will have to keep an eye in the future if we need more algs added to this thing.
Comment 6 Christina Fu 2018-05-16 20:16:06 UTC 
commit a8e371e54b009159e9e3a0d198bd5eb3ed68ac22 (HEAD -> master, origin/master, origin/HEAD, ticket-3-AlgId)
Author: Christina Fu <cfu>
Date:   Tue May 15 14:58:07 2018 -0700

    Ticket 3 JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier
    This ticket addresses the issue to meet RFC 5758 where param field must be omitted
    in the ECDSA Signature algorithm' AlgorithmIdentifier for
    ecdsa-withSHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512.
    
    fixes https://pagure.io/jss/issue/3
Comment 10 Amol K 2018-08-17 08:01:11 UTC 
I tested this Bugzilla on version: 10.5.9-5.el7

Steps I followed:
- Setup ECC CA, KRA
- Create a CMC request and submit per CMC enrollment procedure
- I use the dumpasn1 tool on the response and check that 'OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)' block do not have NULL.
- For more verification, I copied enrolled b64 certificate and ran the dunpasn1 tool on that.
- It does not show the NULL in ecdsaWithSHA256 block.
```
 16  10: . . SEQUENCE {
    <06 08 2A 86 48 CE 3D 04 03 02>
 18   8: . . . OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
       : . . . . (ANSI X9.62 ECDSA algorithm with SHA256)
       : . . . }

```

Verifying this Bugzilla.
Comment 12 errata-xmlrpc 2018-10-30 11:00:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3188
Note You need to log in before you can comment on or make changes to this bug.