1802006 – KRA installation failed to create ECC admin cert

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1802006 - KRA installation failed to create ECC admin cert

Summary: KRA installation failed to create ECC admin cert

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.2
Assignee:	RHCS Maintainers
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-12 06:37 UTC by shalini
Modified:	2023-09-14 05:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pki-core-10.6-8020020200217060646.c7c3114f
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 15:45:20 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	skhandel: needinfo+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:1644	0	None	None	None	2020-04-28 15:46:04 UTC

Description shalini 2020-02-12 06:37:38 UTC

Description of problem:
KRA installation failing in ECC mode with pki_admin_key_type=ecc in conf file

Version-Release number of selected component (if applicable):
RHEL8.2
pki-ca-10.8.0-0.5.module+el8.2.0+5469+26e16009.noarch
pki-kra-10.8.0-0.5.module+el8.2.0+5469+26e16009.noarch

How reproducible:
always

Steps to Reproduce:
1. Install ca in ECC mode with mentioned ecc configurations in attached ca.cfg file.
2. Try installing kra in ECC mode with mentioned ecc configurations in attached kra.cfg file.
3. Comment following parameters in kra conf file and retry installation.
pki_admin_key_type=ecc
pki_admin_key_size=nistp521
pki_admin_key_algorithm=SHA512withEC


Actual results:
1. CA installation success
2. KRA installation fails with following exception 
""" java.io.IOException: Unable to generate admin certificate: Request 24 Rejected - Key Type RSA Not Matched """
3. Installation success.


Expected results:
Installation in step 2 should be success, This is a regression test scenario and was functional in RHEL78


Additional info:
In step 3 : When pki_admin_key_type field is commented in kra config file. An admin cert with RSA also is generated thus installation is success.
ECC admin cert creation failed during installation in step 2. 

Attached are debug logs.

Comment 4 Endi Sukma Dewata 2020-02-12 09:15:55 UTC

Hi Christina,

You're probably more familiar with this area. I noticed that the
caAdminCert and the caECAdminCert profiles in CA's CS.cfg are pointing
to the same configuration file that contains an RSA key constraint.

https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/conf/CS.cfg#L1102-L1105

profile.caAdminCert.class_id=caEnrollImpl
profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg
profile.caECAdminCert.class_id=caEnrollImpl
profile.caECAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg

https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/profiles/ca/caAdminCert.cfg#L32-L35

policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
policyset.adminCertSet.3.constraint.name=Key Constraint
policyset.adminCertSet.3.constraint.params.keyType=RSA
policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096

I'm not sure how it works on RHEL 7 but on RHEL 8 the caECAdminCert
profile rejects KRA admin's ECC cert request because of this constraint.

If I change the caECAdminCert profile to use caECAdminCert.cfg instead
it will load the ECC key constraint:

https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/profiles/ca/caECAdminCert.cfg#L32-L35

policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
policyset.adminCertSet.3.constraint.name=Key Constraint
policyset.adminCertSet.3.constraint.params.keyType=-
policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521

and the KRA installation will complete successfully.
Could you take a look? Thanks.

Comment 5 Endi Sukma Dewata 2020-02-12 09:24:54 UTC

Sorry, I should have linked the files in the master (10.8) branch:

* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/CS.cfg#L1086-L1089
* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/caAdminCert.cfg#L32-L35
* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/caECAdminCert.cfg#L32-L35

Regardless, the above sections are identical in master and 10.5 branch.

Comment 6 Geetika Kapoor 2020-02-12 09:46:24 UTC

Endi, Christina,

I was able to install it but i need to do some tweaks in https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/profiles/ca/caECAdminCert.cfg#L32-L35. 
I did add ECC in keytype and when i did restart it was again picking RSA. Restart was somehow not picking the changes and it was still showing RSA so changing from admin console to ECC worked and later installation also passed. I was not sure why changes in profile file and restart didn't pick the changes. Does registry needs to be refreshed or something?

Thanks

Comment 7 Christina Fu 2020-02-12 22:32:09 UTC

1. Shalini, I have trouble understanding your step 2 and 3.  In step 2, you said "Try installing kra in ECC mode with mentioned ecc configurations in attached kra.cfg file.", but you didn't say what happened there.  Was it successful?  If not, what was the debug info?
  Then in step 3, you said you commented out the ec params in the kra's pkispawn file and tried again.  So here you are trying to get an RSA admin cert for an EC environment?  Is this a negative case?

2. Endi and Geetika, the profiles gets automatically switched depending on the key type:
https://github.com/dogtagpki/pki/blob/master/base/server/src/com/netscape/cms/servlet/csadmin/Configurator.java#L2421-L2425
As you can see, we did that for startup profiles;  That's what Jack and I discussed and agreed on at the time.  He implemented that.

Does that help?

Comment 8 Endi Sukma Dewata 2020-02-13 02:46:37 UTC

Christina, yes, KRA will submit a request to caAdminCert or caECAdminCert profile based
on that code. However, as shown above both of these profiles point to the same RSA profile
configuration file, so ECC request to caECAdminCert will always be rejected.

I was wondering if it's simply a typo in CS.cfg or if there's other logic that I'm not
aware of. I'm also curious how the code works in RHEL 7 since the parts shown above are
identical in RHEL 7 and 8.

Comment 9 Geetika Kapoor 2020-02-13 05:55:17 UTC

Christina it is going to right profile if ecc is slected ..No doubt on that part. Request is going to caECAdminCert profile 
But even after making keytype as ECC in caECAdminCert profile and restarting CA , it was giving Key mismatch error but as soon as i make ECC from admin console same change for caECAdminCert profile  it worked.

Comment 10 Endi Sukma Dewata 2020-02-14 04:38:34 UTC

Jack, any idea about this?

Comment 11 shalini 2020-02-14 05:41:15 UTC

Christina, As i mentioned in actual and expected output:

Step 2 is failing and expected to be success. : debug logs are also attached [ KRA failure debug log ] .
Step 3 is Success and working as expected. : This is a positive scenario. Just admin-cert in KRA installation is RSA, rest all certs are ECC. Similar scenario is mentioned in below documentation:
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_KRA_with_ECC.md

When I try to have an ECC admin-cert during KRA installation, There is failure with following exception [Step2] .
""" java.io.IOException: Unable to generate admin certificate: Request 24 Rejected - Key Type RSA Not Matched """

Comment 12 Endi Sukma Dewata 2020-02-16 15:31:29 UTC

The code has been updated upstream:
* master (10.8) branch: https://github.com/dogtagpki/pki/commit/84c039e9d93794df118e926c24aacf1da8fd166e
* 10.5 branch: https://github.com/dogtagpki/pki/commit/848946c07b4d67e27cfd8128bc7409e0db9983cd

Comment 14 Endi Sukma Dewata 2020-02-17 08:55:41 UTC

I have added the RHEL 8 build into the errata.

Please note that there are 2 options for the admin cert during KRA installation:
1. Import an existing admin cert (pki_import_admin_cert=True). This is the default.
2. Request a new admin cert from the CA (pki_import_admin_cert=False)

The first scenario seems to be working fine, but the second scenario
is failing with ECC key type due to the incorrect path explained above.

Here's a sample deployment configuration to test scenario #2:

[KRA]
pki_import_admin_cert=False

pki_admin_email=kraadmin
pki_admin_name=kraadmin
pki_admin_nickname=kraadmin
pki_admin_password=Secret.123
pki_admin_uid=kraadmin

pki_admin_key_type=ecc
pki_admin_key_algorithm=SHA256withEC
pki_admin_key_size=nistp256

Comment 18 shalini 2020-03-17 15:11:23 UTC

KRA installation worked with ECC admin cert. Following is the build on which testing is performed:

pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a.x86_64
pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch
python3-pki-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch
pki-server-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-base-java-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-ca-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-kra-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a.x86_64
pki-base-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch

jss-4.6.2-3.module+el8.2.0+5925+bad5981a.x86_64
tomcatjss-7.4.1-2.module+el8.2.0+4573+c3c38c7b.no

Marking this bugzilla verified.

Comment 20 errata-xmlrpc 2020-04-28 15:45:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1644

Comment 21 Red Hat Bugzilla 2023-09-14 05:52:20 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.