Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1538311.
Description of problem: we are able to see the following when using one of their profiles:
Issuing a cert off this profile translates a 192.168.1.1/24 to what looks like a ipv6 address so that to c0a8:1c8:ffff:ffff:000:000:000:000
192.168.1.1/24
c0a8:1c8:ffff:ffff:000:000:000:000
Identifier: Name Constraints - 2.5.29.30 Critical: yes GeneralSubtrees: Permitted: GeneralSubtree: [ GeneralName: IPAddress: c0a8:1c8:ffff:ffff:000:000:000:000 Minimum: 0 Maximum: undefined] Excluded: GeneralSubtree: [ GeneralName: IPAddress: c0a8:101:ffff:ffff:000:000:000:000 Minimum: 0 Maximum: undefined]
and openssl 1.0.2k-fips sees:
X509v3 Name Constraints: critical Permitted: IP:IP Address:<invalid> Excluded: IP:IP Address:<invalid>
And according to RFC 5280 it should be the octect string... well at least for the SAN (subject alternate name). I presume same would apply for the Naming Constraints
Metadata Update from @ftweedal: - Issue assigned to ftweedal
Metadata Update from @ftweedal: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1538311 - Custom field type adjusted to None - Custom field version adjusted to None
Gerrit review: https://review.gerrithub.io/#/c/398356/
Metadata Update from @mharmsen: - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 0.0 NEEDS_TRIAGE)
Pushed to master:
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue set to the milestone: 10.6.0 (was: 10.5)
Pushed to DOGTAG_10_5_BRANCH:
DOGTAG_10_5_BRANCH
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.7 (was: 10.6.0)
Metadata Update from @mharmsen: - Issue priority set to: critical
re-opening to fix another issue
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.5.7) - Issue status updated to: Open (was: Closed)
Metadata Update from @mharmsen: - Issue priority set to: blocker (was: critical)
New gerrit review: https://review.gerrithub.io/#/c/dogtagpki/pki/+/412715
More commits, to fix issues discovered during QE, have been pushed to upstream master:
Closing FIXED (again).
Metadata Update from @ftweedal: - Issue close_status updated to: fixed
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.9 (was: 10.5)
Re-opening (again -_-) to fix another issue.
Gerrit reviews: - master: https://review.gerrithub.io/c/dogtagpki/pki/+/415271 - DOGTAG_10_5_BRANCH: https://review.gerrithub.io/c/dogtagpki/pki/+/415273
master
Metadata Update from @ftweedal: - Issue status updated to: Open (was: Closed)
commit a85486cfc7644b6a1caac6f5a2b34c4516ea1288 Author: Fraser Tweedale ftweedal@redhat.com Date: Fri Jun 15 00:28:43 2018 +1000
IPAddressName: fix construction from String The IPAddressName(String) constructor (the non-netmask case) was broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6. Fix it, and rename one of the helper methods to clarify its behaviour. Fixes: https://pagure.io/dogtagpki/issue/2922 Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.10-1.fc27 - Issue close_status updated to: fixed - Issue set to the milestone: 10.5.10 (was: 10.5.9) - Issue status updated to: Closed (was: Open)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3040
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.