Key IDs are displayed as unsigned hex numbers by certutil:
$ certutil -K -d /var/lib/pki/pki-tomcat/alias/ -f password.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 7c2dd8cd2213494ab6e26e70fde332669f17f913 ca_ocsp_signing < 1> rsa e91f694a9e7c753cd7aa533cf5f6195d26523ee0 NSS Certificate DB:sslserver < 2> rsa 446ed35d7e811e7f73d0d1f220afc60083deba74 ca_signing < 3> rsa 34488253ad5443552b89c4087b4e36e6d212ba17 subsystem < 4> rsa b60333e92c6d9643b6e41407fa1557e54a442e35 ca_audit_signing
However, the key IDs are stored as signed hex numbers in CS.cfg:
cloning.audit_signing.privkey.id=-49fccc16d39269bc491bebf805eaa81ab5bbd1cb cloning.ocsp_signing.privkey.id=7c2dd8cd2213494ab6e26e70fde332669f17f913 cloning.signing.privkey.id=446ed35d7e811e7f73d0d1f220afc60083deba74 cloning.subsystem.privkey.id=34488253ad5443552b89c4087b4e36e6d212ba17
Also, PKI is always treating the key ID as signed hex numbers in various locations.
Depending on the value, sometimes they may not match and may lead to confusions or other problems.
To avoid potential problems, they should be treated consistently as unsigned hex numbers.
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Per PKI Team Meeting of 20180109: 10.5
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1532867
Metadata Update from @mharmsen: - Issue priority set to: critical
Per PKI Team Meeting of 20180118 moving to 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
If the problem happens with sslserver key ID, installation will fail with the following message:
Installation failed: com.netscape.certsrv.base.BadRequestException: Unable to find private key for certificate sslserver
The debug log shows that the server is trying to find the sslserver private key with a 19-byte long key ID:
[30/Jan/2018:23:18:09][http-bio-8443-exec-3]: generateCertRequest: getting private key for certificate sslserver [30/Jan/2018:23:18:09][http-bio-8443-exec-3]: generateCertRequest: private key ID: 71a43d56fb7ae818604db6c7a073ff08338650 [30/Jan/2018:23:18:09][http-bio-8443-exec-3]: generateCertRequest: Unable to find private key for certificate sslserver
In the CS.cfg the sslserver key ID is also 19-byte long:
preop.cert.sslserver.privkey.id=71a43d56fb7ae818604db6c7a073ff08338650
However, in the NSS database the sslserver key ID is actually 20-byte long:
$ certutil -K -d alias -f password.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 2e43365f8d076ed04046fb0258646b055c629f55 (orphan) < 1> rsa 0071a43d56fb7ae818604db6c7a073ff08338650 NSS Certificate DB:sslserver < 2> rsa 3b08b55eac68d413d6611e6dd32057816e47af6e (orphan)
Apparently the actual key ID starts with a zero, but it disappears due to encoding/decoding error.
I have attached the NSS database. <img alt="nssdb.tar.gz" src="/dogtagpki/issue/raw/files/7d2348e3b5eef274e1092f1aec629be04815e6eeee0b75be20bea40b94f64d83-nssdb.tar.gz" />
Attached is a program that demonstrates the problem. To compile the program:
$ javac KeyIDValidator.java
To run the program:
$ java KeyIDValidator <key ID in NSS database>
For example:
$ java KeyIDValidator e91f694a9e7c753cd7aa533cf5f6195d26523ee0 Key ID in NSS database : e91f694a9e7c753cd7aa533cf5f6195d26523ee0 Key ID stored in CS.cfg: -16e096b561838ac32855acc30a09e6a2d9adc120 Key ID used for lookup : e91f694a9e7c753cd7aa533cf5f6195d26523ee0 Result: SUCCESS $ java KeyIDValidator ffff9ea54e240ccdceb42c026f8ac01c9782ca73 Key ID in NSS database : ffff9ea54e240ccdceb42c026f8ac01c9782ca73 Key ID stored in CS.cfg: -615ab1dbf332314bd3fd90753fe3687d358d Key ID used for lookup : 9ea54e240ccdceb42c026f8ac01c9782ca73 Result: FAILED $ java KeyIDValidator 0071a43d56fb7ae818604db6c7a073ff08338650 Key ID in NSS database : 0071a43d56fb7ae818604db6c7a073ff08338650 Key ID stored in CS.cfg: 71a43d56fb7ae818604db6c7a073ff08338650 Key ID used for lookup : 71a43d56fb7ae818604db6c7a073ff08338650 Result: FAILED
<img alt="KeyIDValidator.java" src="/dogtagpki/issue/raw/files/434a2ff7c73bf418c62ca2a5e6892fb2bacf4be91022ebc8c3741340019e993b-KeyIDValidator.java" />
Metadata Update from @mharmsen: - Issue assigned to edewata - Issue priority set to: blocker (was: critical) - Issue set to the milestone: 10.5 (was: 10.6)
Fixed in master:
Fixed in 10.5 branch:
Metadata Update from @edewata: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.6 (was: 10.5)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3002
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.