Bug 1580394 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC [NEEDINFO]
Summary: CMC CRMF requests result in InvalidKeyFormatException when signing algorithm ...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core   
(Show other bugs)
Version: 7.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Keywords: TestCaseProvided, ZStream
Depends On:
Blocks: 1585945
TreeView+ depends on / blocked
 
Reported: 2018-05-21 12:17 UTC by Geetika Kapoor
Modified: 2018-10-30 11:08 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.5.9-1.el7
Doc Type: Bug Fix
Doc Text:
CMC CRMF requests using ECC keys work correctly Previously, during verification, Certificate System encoded the ECC public key incorrectly in CMC Certificate Request Message Format (CRMF) requests. As a consequence, requesting an ECC certificate with Certificate Management over CMS (CMC) in CRMF failed. The problem has been fixed, and as a result, CMC CRMF requests using ECC keys work as expected.
Story Points: ---
Clone Of:
: 1585945 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:07:04 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mmuehlfe: needinfo? (cfu)


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3195 None None None 2018-10-30 11:08 UTC

Description Geetika Kapoor 2018-05-21 12:17:25 UTC
Description of problem:

Test case 1: self-signed cases whenever cmc.cfg file has request.selfSign=true , and signing algorithm is EC( as in crmfpopclient cli we use -a ec) throws org.mozilla.jss.crypto.InvalidKeyFormatException. 

1.CRMFPopClient -d /root/help -p SECret.123 -n UID=testuser1self-Test1 -q POP_SUCCESS  -b /root/transport.pem -a ec -t false -y  -w "AES/CBC/PKCS5Padding" -o crmf2.req
2. Run CMCRequest file with request.selfSign=true.
3. Run HttpClient.Below are the debug logs

[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCUserSignedAuth: authenticate: signing key alg=EC
[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCUserSignedAuth: authenticate: org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding
[04/May/2018:07:25:41][http-bio-20443-exec-16]: SignedAuditLogger: event CMC_USER_SIGNED_REQUEST_SIG_VERIFY
[04/May/2018:07:25:41][http-bio-20443-exec-16]: ProfileSubmitCMCServlet: authenticate: org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding
[04/May/2018:07:25:41][http-bio-20443-exec-16]: SignedAuditLogger: event AUTH
[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCOutputTemplate: getContentInfo: begins
[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCOutputTemplate: getContentInfo:  - done
[04/May/2018:07:25:41][http-bio-20443-exec-16]: SignedAuditLogger: event CMC_RESPONSE_SENT
[04/May/2018:07:25:41][http-bio-20443-exec-16]: ProfileSubmitCMCServlet: authentication error org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding



Version-Release number of selected component (if applicable):

7.5 update 1

How reproducible:

always

Steps to Reproduce:
1.Install ECC RootCA.
2.Run CRMFPopClient -d /root/help -p SECret.123 -n UID=testuser1self-Test1 -q POP_SUCCESS  -b /root/transport.pem -a ec -t false -y  -w "AES/CBC/PKCS5Padding" -o crmf2.req
3. Make sure it's for self signed and -a is ec in crmfpopclient

Actual results:

Failures caused due to:

[04/May/2018:07:25:41][http-bio-20443-exec-16]: CMCUserSignedAuth: authenticate: org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding



Expected results:

Should work.

Additional info:

In Case we have signing algorithm as RSA in crmfpopclient,it works.
=====================================================

CRMFPopClient -d /root/help -p SECret.123 -n UID=testuser1self-Test1 -q POP_SUCCESS -b /root/transport.pem -y -w "AES/CBC/PKCS5Padding" -o crmf2.req

[04/May/2018:07:40:57][http-bio-20443-exec-17]: CMCUserSignedAuth: authenticate: signing key alg=RSA
[04/May/2018:07:40:57][http-bio-20443-exec-17]: CMCUserSignedAuth: authenticate: public key retrieved
[04/May/2018:07:40:57][http-bio-20443-exec-17]: CMCUserSignedAuth: verifySelfSignedCMC: begins

Comment 3 Christina Fu 2018-06-04 22:46:44 UTC
commit 33f532f435672e712c041e17ed8597bf96d30526 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu@redhat.com>
Date:   Mon Jun 4 11:03:20 2018 -0700

    Ticket 3028 additional error checking
    
    Change-Id: If660fabd21b9992416dd1d5463b6ffd68fa1bf43

commit bd9365250ac1f98505823d7d47476b5f814cfb58
Author: Christina Fu <cfu@redhat.com>
Date:   Mon Jun 4 10:53:12 2018 -0700

    Ticket 3028 CMC CRMF request results in InvalidKeyFormatException when signing algorithm is ECC
    
    This patch fixes the issue where in case of CRMF request with ECC keys the
    public key was encoded incorrectly previously.
    
    The fix was done in a way that RSA portion is unaffected.
    
    Fixes https://pagure.io/dogtagpki/issue/3028
    
    Change-Id: I3eb62638f2970dc7a9df37abb19015bd287b383d

Comment 8 Matthew Harmsen 2018-06-26 01:27:22 UTC
QE Test Verification:

https://bugzilla.redhat.com/show_bug.cgi?id=1585945#c3

Comment 9 Geetika Kapoor 2018-08-17 20:33:05 UTC
Test Env:

# rpm -qa pki-ca
pki-ca-10.5.9-5.el7.noarch


Test Case:

1. CRMFPopClient key archival works for self-signed(ECC).
2. CRMFPopClient key archival works for user-signed(ECC).

Comment 11 errata-xmlrpc 2018-10-30 11:07:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195


Note You need to log in before you can comment on or make changes to this bug.