Issue #7232: Unable to re-key external CA - freeipa

freeipa

#7232 Unable to re-key external CA

Opened 6 years ago by ftweedal. Modified 4 years ago

When using an externally-signed IPA CA and wishing to change the
external root chaining. If you install a new external CA
cert which has the same subject name, but a different public key. A
new IPA CA CSR has been generated and has been signed by the new external CA.
However, when you attempt to change the chaining ('ipa-cacert-manage
renew --external-cert-file=<new IPA CA cert> --external-cert-file=<new root CA cert>'), an error is returned indicating a problem with subject key
comparison -->

ipa: DEBUG: stderr=ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x540d368>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_57069456
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 117, in run
    rc = self.renew()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 165, in renew
    return self.renew_external_step_2(ca, cert)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 282, in renew_external_step_2
    EMPTY_TRUST_FLAGS)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 367, in put_ca_cert_nss
    config_ipa, config_compat)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 233, in put_ca_cert
    config_ipa=config_ipa, config_compat=config_compat)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 182, in update_ca_cert
    raise ValueError("subject public key info mismatch")

ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
ipa-cacert-manage command failed, exception: ValueError: subject public key info mismatch
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: subject public key info mismatch                      
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed.

In certstore.py, the public key of the new cert is compared to same of the
current cert stored in 389 -->

def update_ca_cert(ldap, base_dn, dercert, trusted=None, ext_key_usage=None,
                   config_ipa=False, config_compat=False):
    """
    Update existing entry for a CA certificate in the certificate store.
    """
    subject, issuer_serial, public_key = _parse_cert(dercert)

    filter = ldap.make_filter({'ipaCertSubject': subject})
    result, _truncated = ldap.find_entries(
        base_dn=DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
                   base_dn),
        filter=filter,
        attrs_list=['cn', 'ipaCertSubject', 'ipaCertIssuerSerial',
                    'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
                    'ipaConfigString', 'cACertificate;binary'])
    entry = result[0]
    dn = entry.dn

    for old_cert in entry['cACertificate;binary']:
        # Check if we are adding a new cert
        if old_cert == dercert:
            break
    else:
        # We are adding a new cert, validate it
        if entry.single_value['ipaCertSubject'].lower() != subject.lower():
            raise ValueError("subject name mismatch")
        if entry.single_value['ipaPublicKey'] != public_key:
            raise ValueError("subject public key info mismatch")
        entry['ipaCertIssuerSerial'].append(issuer_serial)
        entry['cACertificate;binary'].append(dercert)

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1512322

6 years ago

pvoborni commented 6 years ago

Issue linked to bug 1512322

rcritten commented 6 years ago

What would you suggest, not do the subject key comparison? The commit message for the code contains no reasoning for doing this.

ftweedal commented 6 years ago

@rcritten possibly. It would need to be comprehensively tested, to make sure that none of the other programs or libraries (e.g. NSS) experience issues in this scenario.

rcritten commented 6 years ago

Some git archaeology will be needed to try to discern the original intent of this change but IIRC it was one of many included in a large patch set with no specific call-out.

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.6.4

6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: important (was: normal)

6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

5 years ago

yrro commented 4 years ago

According to https://www.freeipa.org/page/V4/CA_certificate_renewal each entry underneath cn=certificates,cn=ipa,cn=etc,SUFFIX "represents a set of certificates using a single subject name and public key" but no further rationale is given. Given that ipaCertsubject "must be unique in the store", it looks like you can't re-key a CA.

(This ended up being rather tautological, but I can't delete the comment...) :)

Edited 4 years ago by yrro

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.6.5

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1512322

tester

None

changelog

None

design

None

freeipa

Source Code

#7232 Unable to re-key external CA Opened 6 years ago by ftweedal. Modified 4 years ago

Close issue as:

Metadata

#7232 Unable to re-key external CA

Opened 6 years ago by ftweedal. Modified 4 years ago