Test Case 1:
Question: Will cert usage will be same for both RSA CA and ECC CA? I see SSLServer in ecc cert usage.
# pki -d /var/lib/pki/gkapoor_RHCS_75_ecc/alias --token NHSM6000-OCS client-cert-validate "NHSM6000-OCS:caSigningCert cert-gkapoor_RHCS_75_ecc CA" --certusage CheckAllUsages Enter password for NHSM6000-OCS
Cert has the following usages: SSLServer,SSLClient,SSLCA,EmailSigner,EmailRecipient,UserCertImport,VerifyCA,ProtectedObjectSigner,StatusResponder,AnyCA
# pki -d /var/lib/pki/gkapoor_RHCS_75_ssl/alias --token NHSM6000-OCS client-cert-validate "NHSM6000-OCS:caSigningCert cert-gkapoor_RHCS_75_ssl CA" --certusage CheckAllUsages Enter password for NHSM6000-OCS
Cert has the following usages: SSLClient,SSLCA,EmailSigner,UserCertImport,VerifyCA,ProtectedObjectSigner,StatusResponder,AnyCA
Test Case 2: --> Seeing issue
When Signature Algorithm: SHA384withEC - 1.2.840.10045.4.3.3 i.e RootCA is "ECC".Signing CMC Certs is not working with RootCA as ECC. ExternalCA with ecc is currently not working: https://bugzilla.redhat.com/show_bug.cgi?id=1544843
# PKCS10Client -d /root/ssl_cert_ecc -p <password> -n "cn=Test75z1ecc, uid=Testing" -a ec -c nistp256 -o user-signed/pkcs10.req.ecc
I see below message.With same request when send to RSA CA, it works fine with same CMCrequest.
[21/Feb/2018:07:40:38][http-bio-20443-exec-3]: ProfileSubmitCMCServlet: authentication error Invalid Credential.
Exception: CMCAuth: org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Test Case 3: Works
Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13 i.e when RootCA is RSA.
SEQUENCE(2 elem) OBJECT IDENTIFIER1.2.840.113549.1.1.13sha512WithRSAEncryption(PKCS #1) NULL
Even this has NULL but validation works because RFC says:
sha512WithRSAEncryption
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
Parameters are required, and they must be NULL.
Name = sha512WithRSAEncryption, oid = 1.2.840.113549.1.1.13 Length = 15 0000: 300d 0609 2a86 4886 f70d 0101 0d05 00
Signing for ECC and RSA both works.
Steps to Reproduce:
1.Configure RootCA with ECC 2.Follow the same procedure as mentioned in Examples (User Certificates -EC) http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User-signed_EC_cmc_request
Actual results:
Seeing error : [21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Expected results:
No Error should occour
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1548124 - Custom field type adjusted to None - Custom field version adjusted to None - Issue assigned to cfu - Issue priority set to: critical - Issue set to the milestone: 10.6
up for review: https://review.gerrithub.io/#/c/401515/
commit c6630a429f6f4a9b2c2090001f0a2c50e10ba5c4 Author: Christina Fu cfu@redhat.com Date: Mon Feb 26 14:01:18 2018 -0800
Ticket #2949 CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database This patch addresses the "TokenException: Unable to insert certificate into temporary database" issue caused by CMC authentication. During the CMC authentication, looks like the following JSS CryptoManager call actually tries to import the certificate temporarily into the token and causes conflicts: public boolean isCertValid(byte[] certPackage, boolean checkSig, CertUsage certUsage) That call is not appropriate for the purpose. Looking closely, certificate validation has been done in various places: * SSL client authentication (if used) * the isRevoked() call either in agent authentication or in CMCUserSignedAuth * the cert.checkValidity() call in CMCUserSignedAuth The extra isCertValid call is not only redundant but also problematic. This patch fixes https://pagure.io/dogtagpki/issue/2949
~
Metadata Update from @cfu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.7 (was: 10.6)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3067
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.