Due to JSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=1409867, the CMC responses coming from the CA are not correctly formed and potentially incompatible with other security libraries than JSS. A CA with an RSA key produces a signature that is apparently compatible but it is incorrrect nonetheless. A CA with an EC key produces a signature that is incompatible due to being out of spec with CMS. Due to the JSS SignerInfo code a raw key signature algorithm is only ever used despite a "<key alg>with<digest alg>" type algorithm being specified.
The signature algorithm is determined here: https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java#L607
Here is where the SignerInfo is created with the signature algorithm determined above: https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java#L635
I don't know 100% but I would imagine that things like SHA256withRSA, SHA1withRSA, SHA512withRSA, SHA1withDSA, SHA256withEC, SHA1withEC, SHA384withEC, SHA512withEC are getting passed in there, in which case the SignerInfos are wrong.
As I said above this impact is really an incompatibility issue and I only found the problem trying to verify a CMC response from one of my EC CAs using a new crypto library (Not JSS). CMC responses from my RSA CAs will verify, but they're still technically wrong.
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue set to the milestone: 0.0 NEEDS_TRIAGE
As the fix for this bug seems confined to JSS, I am closing this dogtagpki Pagure Issue as "CLOSED invalid", and instead, tracking the JSS changes via the following bugs:
Metadata Update from @mharmsen: - Issue close_status updated to: invalid - Issue set to the milestone: 10.5.0 (was: 0.0 NEEDS_TRIAGE) - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.1 (was: 10.5.0)
When the new JSS builds for Fedora and CentOS/RHEL become available, the JSS dependency in pki-core.spec (and possibly other spec files as well) need to be updated.
Metadata Update from @edewata: - Issue set to the milestone: 10.5 (was: 10.5.1) - Issue status updated to: Open (was: Closed)
Metadata Update from @mharmsen: - Issue assigned to mharmsen
Metadata Update from @mharmsen: - Issue priority set to: critical
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1505801
Dependencies have been updated
Metadata Update from @mharmsen: - Issue close_status updated to: fixed - Issue set to the milestone: 10.5.1 (was: 10.5) - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.1-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2957
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.