RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1787115 - [RFE] Need Method to copy SKI from CSR to Certificate signed.
Summary: [RFE] Need Method to copy SKI from CSR to Certificate signed.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.0
Hardware: All
OS: All
high
high
Target Milestone: rc
: 8.0
Assignee: Jack Magne
QA Contact: PKI QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-31 09:10 UTC by Gaurav Swami
Modified: 2023-10-06 18:57 UTC (History)
6 users (show)

Fixed In Version: pki-core-10.6-8040020201020223442.d4d99205
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:25:13 UTC
Type: Feature Request
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Gaurav Swami 2019-12-31 09:10:11 UTC
Description of problem:

We need SKI from CSR to be copied into signed certificate by RHCS.

As of now we have workaround  If we have CSR with SKI extension and want to keep the SKI as-is, we must use a profile with the 'userExtensionDefaultImpl'
component configured to copy the SKI extension to the final certificate as-is, e.g.:

    policyset.<name>.<idx>.constraint.class_id=noConstraintImpl
    policyset.<name>.<idx>.constraint.name=No Constraint
    policyset.<name>.<idx>.default.class_id=userExtensionDefaultImpl
    policyset.<name>.<idx>.default.name=User Supplied Extension Default
    policyset.<name>.<idx>.default.params.userExtOID=2.5.29.14

If the CSR does not have a SKI then we must use a profile that auto-generates the SKI extension, e.g.:

    policyset.<name>.<idx>.constraint.class_id=noConstraintImpl
    policyset.<name>.<idx>.constraint.name=No Constraint
    policyset.<name>.<idx>.default.class_id=subjectKeyIdentifierExtDefaultImpl
    policyset.<name>.<idx>.default.name=Subject Key Identifier Extension Def
    policyset.<name>.<idx>.default.params.critical=false

What RHCS does not have is a single profile component that copies the SKI if it is present in CSR, otherwise creates the SKI extension automatically with a value derived from the key. 


Additional info:

http://post-office.corp.redhat.com/archives/idm-tech/2019-December/msg00039.html

Comment 1 Marc Sauton 2020-02-25 06:36:13 UTC
this is about cross CA certificates enrollment, it would be good to have a profile with the OID 2.5.29.14 - Subject Key Identifier as an example.
should caCrossSignedCACert.cfg get updated or a new profile added? or just document in the admin guide? (there is an article that was published)
M.

Comment 4 Marc Sauton 2020-07-07 05:53:50 UTC
is it the same feature as in the fixed/released
bz RHEL-8.0 bz 1656856 - Need Method to Include SKI in CA Signing Certificate Request
https://bugzilla.redhat.com/1656856
https://pagure.io/dogtagpki/issue/2854
and NSS update
fixed in RHEL-7.7 with pki-core-10.5.16-3.el7 by errata https://access.redhat.com/errata/RHBA-2019:2228
and later in RHEL-8 by a pki-core rebase
?

Comment 7 Jack Magne 2020-09-08 15:43:32 UTC
Checkin upstream:

Author: Jack Magne <jmagne>
Date:   Thu Aug 6 09:48:18 2020 -0700

    Address Bug 1787115 - [RFE] Need Method to copy SKI from CSR to Certificate signed.
    
    This fix allows a way to configure a profile's SubjectKeyIdentifier process to optionally pick up
    a SKI extension from the incoming CSR and use it instead of the one that is self calculated by the server.
    
    Here is a proile snippet for the SKI as example:
    
    policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
    policyset.caCertSet.8.default.params.critical=false
    policyset.caCertSet.8.default.params.messageDigest=SHA-1
    policyset.caCertSet.8.default.params.useSKIFromCertRequest=true
    
    Note the new param : useSKIFromCertRequest=true
    This new param will default to false, thus not disturbing existing functionality.
    
    When set to true, the CA will attempt to use the SKI extension within the CSR instead
    of creating a new one unconditionally.
    
    If the new param is fals or not present, the original functionality will execute.
    
    If for some reason the ext can't be found in the CSR, the existing functionality will execute
    as well.
    
    Here is a simple CA Server CSR with a custom SKI to test with:
    
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIC7zCCAdcCAQAwZTElMCMGA1UECgwcdG9wb2xvZ3ktMDNfRm9vYmFybWFzdGVyLm9yZzEbMBkG
    A1UECxMSdG9wb2xvZ3ktMDMtQ0Etc2tpMR8wHQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRl
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8Z1MUxsZ0AzV51ohgklOOF99O9pu3Akv
    OqJA2p6B5eDxRMq3s8Dfhgg9Gh7Jtje067oYQrqQ8Y7fs1N3gI5O2F3275InKw1j6YfSwAZtq7K1
    zl86ZHyI9CdHsZb1Xpb/vgyAb48mMSW2lF2Gy/4QpIQVHxpkxbxKaskEJHFE9BgptcMFaMxYGQDq
    xYWpLluGyGeHYnmE9Fx3aMaj7oo5hAW7TaYRmi+LXrvuKf1EROJntm828wWYeIG+pFfvw3it80bq
    j3xYo/6Vv2G1k1qqd4eKksbqZXMYkNKzNDkZkNgO/qRu0rL+S2KyAQmSejVmmZcjsHi/hqZoULE4
    lG1kAQIDAQABoEUwQwYJKoZIhvcNAQkOMTYwNDARBgNVHQ4ECgQIANBvANTQZ0YwDwYDVR0TAQH/
    BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcNAQENBQADggEBAFPfkEGa0/m2MHOgZMUW
    ZVh1hW4nmBRE9Q7ZNhG7xvZaOK7sUuavRhL4vQ1Qf7wjS0Br43LviOGyxL9S/E9ZUuAv4ckH7pfR
    6iox/35mwF51MUm1+8RD7gCBeAQE97Bh/gBErmgWMMqlMVckf2jVwYuIbDy0DmSc41kLsMJlAmd7
    rddGIxO8kFJm/CRnwomZTM9Y/FzIq1FK/Nz7nBBX7yWUd4TustAmiwmwofmZB+gf2B0kjI/p+2sH
    uIBSWk6xdy57T3KKygtqgkDschyfTJAOHC67pCKPnPpslAOMEATxcgIV0PjP7XSvpivia1T/96Xq
    cr8G9sE8VJ/hwno1l9k=
    -----END NEW CERTIFICATE REQUEST-----
    
    If the CSR doesn't have the extension while the param is set, the SKI will
    be calculated as usual.

Comment 17 errata-xmlrpc 2021-05-18 15:25:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1775


Note You need to log in before you can comment on or make changes to this bug.