Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1802006

Summary: KRA installation failed to create ECC admin cert
Product: Red Hat Enterprise Linux 8 Reporter: shalini <skhandel>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: cfu, edewata, gkapoor, jmagne, mharmsen
Target Milestone: rcFlags: skhandel: needinfo+
pm-rhel: mirror+
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8020020200217060646.c7c3114f Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:45:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description shalini 2020-02-12 06:37:38 UTC 
Description of problem:
KRA installation failing in ECC mode with pki_admin_key_type=ecc in conf file

Version-Release number of selected component (if applicable):
RHEL8.2
pki-ca-10.8.0-0.5.module+el8.2.0+5469+26e16009.noarch
pki-kra-10.8.0-0.5.module+el8.2.0+5469+26e16009.noarch

How reproducible:
always

Steps to Reproduce:
1. Install ca in ECC mode with mentioned ecc configurations in attached ca.cfg file.
2. Try installing kra in ECC mode with mentioned ecc configurations in attached kra.cfg file.
3. Comment following parameters in kra conf file and retry installation.
pki_admin_key_type=ecc
pki_admin_key_size=nistp521
pki_admin_key_algorithm=SHA512withEC


Actual results:
1. CA installation success
2. KRA installation fails with following exception 
""" java.io.IOException: Unable to generate admin certificate: Request 24 Rejected - Key Type RSA Not Matched """
3. Installation success.


Expected results:
Installation in step 2 should be success, This is a regression test scenario and was functional in RHEL78


Additional info:
In step 3 : When pki_admin_key_type field is commented in kra config file. An admin cert with RSA also is generated thus installation is success.
ECC admin cert creation failed during installation in step 2. 

Attached are debug logs.
Comment 4 Endi Sukma Dewata 2020-02-12 09:15:55 UTC 
Hi Christina,

You're probably more familiar with this area. I noticed that the
caAdminCert and the caECAdminCert profiles in CA's CS.cfg are pointing
to the same configuration file that contains an RSA key constraint.

https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/conf/CS.cfg#L1102-L1105

profile.caAdminCert.class_id=caEnrollImpl
profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg
profile.caECAdminCert.class_id=caEnrollImpl
profile.caECAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg

https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/profiles/ca/caAdminCert.cfg#L32-L35

policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
policyset.adminCertSet.3.constraint.name=Key Constraint
policyset.adminCertSet.3.constraint.params.keyType=RSA
policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096

I'm not sure how it works on RHEL 7 but on RHEL 8 the caECAdminCert
profile rejects KRA admin's ECC cert request because of this constraint.

If I change the caECAdminCert profile to use caECAdminCert.cfg instead
it will load the ECC key constraint:

https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/profiles/ca/caECAdminCert.cfg#L32-L35

policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
policyset.adminCertSet.3.constraint.name=Key Constraint
policyset.adminCertSet.3.constraint.params.keyType=-
policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521

and the KRA installation will complete successfully.
Could you take a look? Thanks.
Comment 5 Endi Sukma Dewata 2020-02-12 09:24:54 UTC 
Sorry, I should have linked the files in the master (10.8) branch:

* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/CS.cfg#L1086-L1089
* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/caAdminCert.cfg#L32-L35
* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/caECAdminCert.cfg#L32-L35

Regardless, the above sections are identical in master and 10.5 branch.
Comment 6 Geetika Kapoor 2020-02-12 09:46:24 UTC 
Endi, Christina,

I was able to install it but i need to do some tweaks in https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/profiles/ca/caECAdminCert.cfg#L32-L35. 
I did add ECC in keytype and when i did restart it was again picking RSA. Restart was somehow not picking the changes and it was still showing RSA so changing from admin console to ECC worked and later installation also passed. I was not sure why changes in profile file and restart didn't pick the changes. Does registry needs to be refreshed or something?

Thanks
Comment 7 Christina Fu 2020-02-12 22:32:09 UTC 
1. Shalini, I have trouble understanding your step 2 and 3.  In step 2, you said "Try installing kra in ECC mode with mentioned ecc configurations in attached kra.cfg file.", but you didn't say what happened there.  Was it successful?  If not, what was the debug info?
  Then in step 3, you said you commented out the ec params in the kra's pkispawn file and tried again.  So here you are trying to get an RSA admin cert for an EC environment?  Is this a negative case?

2. Endi and Geetika, the profiles gets automatically switched depending on the key type:
https://github.com/dogtagpki/pki/blob/master/base/server/src/com/netscape/cms/servlet/csadmin/Configurator.java#L2421-L2425
As you can see, we did that for startup profiles;  That's what Jack and I discussed and agreed on at the time.  He implemented that.

Does that help?
Comment 8 Endi Sukma Dewata 2020-02-13 02:46:37 UTC 
Christina, yes, KRA will submit a request to caAdminCert or caECAdminCert profile based
on that code. However, as shown above both of these profiles point to the same RSA profile
configuration file, so ECC request to caECAdminCert will always be rejected.

I was wondering if it's simply a typo in CS.cfg or if there's other logic that I'm not
aware of. I'm also curious how the code works in RHEL 7 since the parts shown above are
identical in RHEL 7 and 8.
Comment 9 Geetika Kapoor 2020-02-13 05:55:17 UTC 
Christina it is going to right profile if ecc is slected ..No doubt on that part. Request is going to caECAdminCert profile 
But even after making keytype as ECC in caECAdminCert profile and restarting CA , it was giving Key mismatch error but as soon as i make ECC from admin console same change for caECAdminCert profile  it worked.
Comment 10 Endi Sukma Dewata 2020-02-14 04:38:34 UTC 
Jack, any idea about this?
Comment 11 shalini 2020-02-14 05:41:15 UTC 
Christina, As i mentioned in actual and expected output:

Step 2 is failing and expected to be success. : debug logs are also attached [ KRA failure debug log ] .
Step 3 is Success and working as expected. : This is a positive scenario. Just admin-cert in KRA installation is RSA, rest all certs are ECC. Similar scenario is mentioned in below documentation:
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_KRA_with_ECC.md

When I try to have an ECC admin-cert during KRA installation, There is failure with following exception [Step2] .
""" java.io.IOException: Unable to generate admin certificate: Request 24 Rejected - Key Type RSA Not Matched """
Comment 12 Endi Sukma Dewata 2020-02-16 15:31:29 UTC 
The code has been updated upstream:
* master (10.8) branch: https://github.com/dogtagpki/pki/commit/84c039e9d93794df118e926c24aacf1da8fd166e
* 10.5 branch: https://github.com/dogtagpki/pki/commit/848946c07b4d67e27cfd8128bc7409e0db9983cd
Comment 14 Endi Sukma Dewata 2020-02-17 08:55:41 UTC 
I have added the RHEL 8 build into the errata.

Please note that there are 2 options for the admin cert during KRA installation:
1. Import an existing admin cert (pki_import_admin_cert=True). This is the default.
2. Request a new admin cert from the CA (pki_import_admin_cert=False)

The first scenario seems to be working fine, but the second scenario
is failing with ECC key type due to the incorrect path explained above.

Here's a sample deployment configuration to test scenario #2:

[KRA]
pki_import_admin_cert=False

pki_admin_email=kraadmin
pki_admin_name=kraadmin
pki_admin_nickname=kraadmin
pki_admin_password=Secret.123
pki_admin_uid=kraadmin

pki_admin_key_type=ecc
pki_admin_key_algorithm=SHA256withEC
pki_admin_key_size=nistp256
Comment 18 shalini 2020-03-17 15:11:23 UTC 
KRA installation worked with ECC admin cert. Following is the build on which testing is performed:

pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a.x86_64
pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch
python3-pki-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch
pki-server-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-base-java-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-ca-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-kra-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a.x86_64
pki-base-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch

jss-4.6.2-3.module+el8.2.0+5925+bad5981a.x86_64
tomcatjss-7.4.1-2.module+el8.2.0+4573+c3c38c7b.no

Marking this bugzilla verified.
Comment 20 errata-xmlrpc 2020-04-28 15:45:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1644
Comment 21 Red Hat Bugzilla 2023-09-14 05:52:20 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days