Bug 1588655 - Cert validation for installation with external CA cert
Summary: Cert validation for installation with external CA cert
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1588944
TreeView+ depends on / blocked
 
Reported: 2018-06-07 16:52 UTC by Endi Sukma Dewata
Modified: 2018-10-30 11:08 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.5.9-1.el7
Doc Type: No Doc Update
Doc Text:
See Doc Text field in BZ#1588944.
Clone Of:
: 1588944 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:07:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3195 None None None 2018-10-30 11:08:05 UTC

Description Endi Sukma Dewata 2018-06-07 16:52:42 UTC
During installation with external CA cert, the cert is currently not properly validated, so an incorrect path might generate a misleading error message such as the following (see bug #1540924):

[01/Feb/2018:05:32:14][http-bio-29443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
        at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
        at
...

To simplify troubleshooting the problem the cert needs to be properly validated.

Steps to reproduce:

1. Run step 1 of installation with external CA cert (http://www.dogtagpki.org/wiki/Installing_CA_with_External_CA_Signing_Certificate)
2. Specify an invalid cert path such as pki_ca_signing_cert_path=wrong_path
3. Run step 2 of the installation

Actual result:

The installation failed with unrelated message:
Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.

Expected result:

The installation should fail with a more helpful message such as:
Invalid certificate path: pki_ca_signing_cert_path=wrong_path

The fix is already available in 10.5 branch:
https://github.com/dogtagpki/pki/commit/313c701957bedfd59f7f6368d0c37d2928d1a4a1

Comment 8 Matthew Harmsen 2018-06-26 01:54:26 UTC
QE Test Verification

https://bugzilla.redhat.com/show_bug.cgi?id=1588944#c5

Comment 9 Geetika Kapoor 2018-08-16 12:39:43 UTC
rpm -qa pki-ca
pki-ca-10.5.9-5.el7.noarch

Manually verified.Performed steps https://bugzilla.redhat.com/show_bug.cgi?id=1588944#c5

Comment 11 errata-xmlrpc 2018-10-30 11:07:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195


Note You need to log in before you can comment on or make changes to this bug.