#13 PK11Store.importEncryptedPrivateKeyInfo does not import the public key with SQL NSSDB
Closed: fixed 3 years ago Opened 3 years ago by ftweedal.

There is a regression in SQL NSSDB backend which causes certificates to not be properly
associated with the private keys (i.e. now showing ultimate trust with 'u,u,u' in trust flags).

For example, after replica install the replica has an NSSDB that looks like:

# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CT,C,C
ocspSigningCert cert-pki-ca                                  ,,   
auditSigningCert cert-pki-ca                                 ,,P  
subsystemCert cert-pki-ca                                    ,,   
Server-Cert cert-pki-ca                                      u,u,u

I have observed that the pk12util tool does not exhibit this problem because of
an explicit call to PK11_ImportPublicKey. Therefore
JSS key import methods should be updated to explicitly import the public key via
the same subroutine.


The initial PR:
https://github.com/dogtagpki/jss/pull/13

Another PR addresses a similar issue for LWCA key replication:
https://github.com/dogtagpki/jss/pull/15

Metadata Update from @ftweedal:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

3 years ago

Metadata Update from @edewata:
- Issue close_status updated to: fixed
- Issue set to the milestone: 4.5.0
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata