Issue #1539: Unable to create ECC KRA Instance when kra admin key type is ECC - dogtagpki

dogtagpki

#1539 Unable to create ECC KRA Instance when kra admin key type is ECC

Closed: Fixed None Opened 8 years ago by mrniranjan.

Unable to create ECC KRA Instance when kra admin key type is ECC, pkispawn
fails with below error:

pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert
srv.base.PKIException","Code":500,"Message":"Error in creating admin user:
java.io.IOException: Request Rejected - {0}"}
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token):
line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi
guration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in
_raiseerror
    raise err

Steps to Reproduce:

1. Setup ECC CA using below config
[DEFAULT]
pki_instance_name=example-ecc-ca1
pki_https_port=8443
pki_http_port=8080

#NSS DB Token Password
pki_token_password=Secret123

#Admin Password
pki_admin_password=Secret123
pki_admin_keysize=nistp256
pki_admin_key_type=ecc
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki2.example.org
pki_security_domain_name=Example Org
pki_security_domain_password=Secret123

#client Dir
pki_client_dir=/opt/example-ecc-ca1
pki_client_pkcs12_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

[Tomcat]
pki_ajp_port=8009
pki_tomcat_server_port=8005
[CA]
pki_import_admin_cert=False
pki_ca_signing_key_type=ecc
pki_ca_signing_key_size=nistp256
pki_ca_signing_key_algorithm=SHA256withEC
pki_ca_signing_signing_algorithm=SHA256withEC
pki_ca_signing_subject_dn=cn=CA Signing
Certificate3,o=%(pki_security_domain_name)s
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_key_size=nistp256
pki_ocsp_signing_key_algorithm=SHA256withEC
pki_ocsp_signing_signing_algorithm=SHA256withEC
pki_ocsp_signing_subject_dn=cn=OCSP Signing
Certificate3,o=%(pki_security_domain_name)s
pki_audit_signing_key_type=rsa
pki_audit_signing_key_size=2048
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_signing_algorithm=SHA256withRSA
pki_audit_signing_subject_dn=cn=CA Audit Signing
Certificate3,o=%(pki_security_domain_name)s
pki_ssl_server_key_type=ecc
pki_ssl_server_key_size=nistp256
pki_ssl_server_key_algorithm=SHA256withEC
pki_ssl_server_signing_algorithm=SHA256withEC
pki_ssl_server_nickname=Server-Cert cert-pki-Foobar1-ca3
pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp256
pki_subsystem_key_algorithm=SHA256withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_subject_dn=cn=Subsystem
Certificate3,o=%(pki_security_domain_name)s
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
pki_ds_hostname=localhost
pki_ds_ldap_port=389
pki_ds_password=Secret123

2. Setup KRA instance using below config

[DEFAULT]
pki_instance_name=example-ecc-kra1
pki_https_port=12443
pki_http_port=12080

#NSS DB Token Password
pki_token_password=Secret123

#KRA Admin password
pki_admin_password=Secret123
pki_admin_keysize=nistp256
pki_admin_key_type=ecc
pki_admin_password=Secret123

#Security Domain
pki_security_domain_hostname=pki2.example.org
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123

#Client Dir
pki_client_dir=/opt/example-ecc-kra1
pki_client_pkcs12_password=Secret123
pki_client_database_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123


[Tomcat]
pki_ajp_port=12009
pki_tomcat_server_port=12005

[KRA]
pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp256
pki_subsystem_key_algorithm=SHA256withEC
pki_storage_key_type=rsa
pki_storage_key_size=2048
pki_storage_key_algorithm=SHA256withRSA
pki_storage_signing_algorithm=SHA256withRSA
pki_transport_key_type=rsa
pki_transport_key_size=2048
pki_transport_key_algorithm=SHA256withRSA
pki_transport_signing_algorithm=SHA256withRSA
pki_audit_signing_key_type=rsa
pki_audit_signing_key_size=2048
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_signing_algorithm=SHA256withRSA
pki_ssl_server_key_type=ecc
pki_ssl_server_key_size=nistp256
pki_ssl_server_key_algorithm=SHA256withEC
pki_ssl_server_signing_algorithm=SHA256withEC
pki_import_admin_cert=False
pki_ds_hostname=localhost
pki_ds_ldap_port=1389
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret123
pki_ds_secure_connection=False

3. pkispawn -s KRA -f  kra_inst.inf -vv

pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: [Errno
111] Connection refused
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: [Errno
111] Connection refused
pkispawn    : DEBUG    ........... <?xml version="1.0" encoding="UTF-8" standal
one="no"?><XMLResponse><State>0</State><Type>KRA</Type><Status>running</Status>
<Version>10.2.6-4.el7pki</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d
/opt/example-ecc-kra1/kra/alias -s cn=PKI
Administrator,e=kraadmin@example.org,o=Example Org -k ec -q nistp256 -z
/opt/example-ecc-kra1/kra/alias/noise -f
/opt/example-ecc-kra1/kra/password.conf -o
/opt/example-ecc-kra1/kra/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/example-ecc-kra1/kra/alias/noise
pkispawn    : INFO     ....... BtoA
/opt/example-ecc-kra1/kra/alias/admin_pkcs10.bin
/opt/example-ecc-kra1/kra/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert
srv.base.PKIException","Code":500,"Message":"Error in creating admin user:
java.io.IOException: Request Rejected - {0}"}
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token):
line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi
guration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in
_raiseerror
    raise err

Actual results:

KRA instance creation fails

Expected results:

KRA instance should succeed

Additional info:

i suspect it fails because caAdminCert profile doesn't support ECC, the CA
debug logs show these:


[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: EnrollProfile: auth token is not
null
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SignedAuditEventFactory:
create() message=[AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=S
uccess][ReqID=12][ProfileID=caAdminCert][CertSubject=CN=PKI
Administrator,E=kraadmin@example.org,O=Example Org] certificate request made
with certificate profiles

[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: BasicProfile: validate start on
setId=adminCertSet
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate
start
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate
start
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate
cert subject =CN=PKI Administrator,E=kraadmin@example.org,O=Example Org
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint:
validate() - sn500 dname = CN=PKI
Administrator,E=kraadmin@example.org,O=Example Org
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate
end
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: validate
start
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: not before:
Tue Aug 04 22:09:27 IST 2015
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: not after:
Wed Aug 03 22:09:27 IST 2016
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: range: 365
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: range unit:
day
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: limit: Wed
Aug 03 22:09:27 IST 2016
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: validate end
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: KeyConstraint: validate start
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: CertRequestSubmitter: submit Key
Type RSA Not Matched
[04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SignedAuditEventFactory:
create() message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome
=Failure][ReqID=12][InfoName=rejectReason][InfoValue=Request Rejected - Key
Type RSA Not Matched] certificate request processed

mharmsen commented 8 years ago

Per CS/DS Meeting of 08/10/2015 - 10.2.7

cfu commented 8 years ago

commit 017f4f9d4b3c6051f082b8c2b49d5143fd8450e9
Author: Christina Fu cfu@redhat.com
Date: Mon Aug 10 15:38:06 2015 -0700

Ticket 1539 Unable to create ECC KRA Instance when kra admin key type is ECC
This patch changes the relevant CA enrollment admin profiles so that they ac
requests for EC certs. The issue actually not just affected KRA, it also aff
other non-CA subsystems.

Metadata Update from @mrniranjan:
- Issue assigned to cfu
- Issue set to the milestone: 10.2.6

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2098

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

cfu

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

10.2.6

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1250186

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

Infrastructure

proposedmilestone

None

dogtagpki

Source Code

#1539 Unable to create ECC KRA Instance when kra admin key type is ECC Closed: Fixed None Opened 8 years ago by mrniranjan.

Metadata

#1539 Unable to create ECC KRA Instance when kra admin key type is ECC

Closed: Fixed None Opened 8 years ago by mrniranjan.