dogtagpki

Clone
Source Code
GIT

#2949 CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database
Closed: fixed 6 years ago Opened 6 years ago by mharmsen.

Closed: fixed
Reopen Issue

Test Case 1:

  1. I have RSA CA configured.
  2. I have one EC CA configured.

Question: Will cert usage will be same for both RSA CA and ECC CA? I see SSLServer in ecc cert usage.

# pki -d /var/lib/pki/gkapoor_RHCS_75_ecc/alias --token NHSM6000-OCS client-cert-validate "NHSM6000-OCS:caSigningCert cert-gkapoor_RHCS_75_ecc CA"  --certusage CheckAllUsages
Enter password for NHSM6000-OCS

Cert has the following usages: SSLServer,SSLClient,SSLCA,EmailSigner,EmailRecipient,UserCertImport,VerifyCA,ProtectedObjectSigner,StatusResponder,AnyCA

# pki -d /var/lib/pki/gkapoor_RHCS_75_ssl/alias --token NHSM6000-OCS client-cert-validate "NHSM6000-OCS:caSigningCert cert-gkapoor_RHCS_75_ssl CA"  --certusage CheckAllUsages
Enter password for NHSM6000-OCS

Cert has the following usages: SSLClient,SSLCA,EmailSigner,UserCertImport,VerifyCA,ProtectedObjectSigner,StatusResponder,AnyCA

Test Case 2: --> Seeing issue

When Signature Algorithm: SHA384withEC - 1.2.840.10045.4.3.3 i.e RootCA is "ECC".Signing CMC Certs is not working with RootCA as ECC.
ExternalCA with ecc is currently not working: https://bugzilla.redhat.com/show_bug.cgi?id=1544843

  1. I have RootCA ECC setup.
  2. I try to sign certificate using that instance. I create pkcs10client request like:
# PKCS10Client -d  /root/ssl_cert_ecc -p <password> -n "cn=Test75z1ecc, uid=Testing" -a ec -c nistp256 -o user-signed/pkcs10.req.ecc
  1. we use CMCResponse.
  2. Now we sent HttpClient request.

I see below message.With same request when send to RSA CA, it works fine with same CMCrequest.

[21/Feb/2018:07:40:38][http-bio-20443-exec-3]: ProfileSubmitCMCServlet: authentication error Invalid Credential.

Exception:
CMCAuth: org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

Test Case 3: Works

Signature Algorithm: SHA512withRSA - 1.2.840.113549.1.1.13 i.e when RootCA is RSA.

SEQUENCE(2 elem)
OBJECT IDENTIFIER1.2.840.113549.1.1.13sha512WithRSAEncryption(PKCS #1)
NULL

Even this has NULL but validation works because RFC says:

sha512WithRSAEncryption

sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }

Parameters are required, and they must be NULL.

Name = sha512WithRSAEncryption, oid = 1.2.840.113549.1.1.13
Length = 15
0000: 300d 0609 2a86 4886 f70d 0101 0d05 00

Signing for ECC and RSA both works.

Steps to Reproduce:

1.Configure RootCA with ECC
2.Follow the same procedure as mentioned in Examples (User Certificates -EC) 
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#User-signed_EC_cmc_request

Actual results:

Seeing error : [21/Feb/2018:07:40:37][http-bio-20443-exec-3]: CMCAuth: org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

Expected results:

No Error should occour

Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1548124
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue assigned to cfu
- Issue priority set to: critical
- Issue set to the milestone: 10.6
6 years ago

commit c6630a429f6f4a9b2c2090001f0a2c50e10ba5c4
Author: Christina Fu cfu@redhat.com
Date: Mon Feb 26 14:01:18 2018 -0800

Ticket #2949 CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database

This patch addresses the "TokenException: Unable to insert certificate into temporary database" issue caused by CMC authentication.  During the CMC authentication, looks like the following JSS CryptoManager call actually tries to import the certificate temporarily into the token and causes conflicts:
public boolean isCertValid(byte[] certPackage, boolean checkSig,
            CertUsage certUsage)
That call is not appropriate for the purpose.

Looking closely,  certificate validation has been done in various places:
* SSL client authentication (if used)
* the isRevoked() call either in agent authentication or in CMCUserSignedAuth
* the cert.checkValidity() call in CMCUserSignedAuth

The extra isCertValid call is not only redundant but also problematic.

This patch fixes https://pagure.io/dogtagpki/issue/2949

~

Metadata Update from @cfu:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.7 (was: 10.6)
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3067

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.