Loading...

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0.beta
Component/s: pki-core
Labels:
None

Fixed in Build:
dogtag-pki-11.5.3-1.el10
Regression:
Yes
Severity:
None
Keywords:

Regression

Pool Team:

rhel-sst-idm-cs
Sub-System Group:

ssg_idm

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Products:

Certificate System
Sprint:
None

Preliminary Testing:
Pass
Test Link:
https://polarion.engineering.redhat.com/polarion/#/project/CERT/workitem?id=CERT-28354
Testable Builds:

Hide
idm-pki-ca-11.5.4-3.el10.noarch
idm-pki-kra-11.5.4-3.el10.noarch
idm-pki-server-11.5.4-3.el10.noarch
idm-jss-5.5.0-3.el10.x86_64
idm-jss-tomcat-5.5.0-3.el10.x86_64
tomcat-1:9.0.87-2.el10.noarch
nss-3.101.0-6.el10.x86_64

Show
idm-pki-ca-11.5.4-3.el10.noarch idm-pki-kra-11.5.4-3.el10.noarch idm-pki-server-11.5.4-3.el10.noarch idm-jss-5.5.0-3.el10.x86_64 idm-jss-tomcat-5.5.0-3.el10.x86_64 tomcat-1:9.0.87-2.el10.noarch nss-3.101.0-6.el10.x86_64
Errata Link:
https://errata.engineering.redhat.com/advisory/132003
Test Coverage:

Automated

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

CA Clone Installation is failing in FIPS mode with 'Error verifying PKCS12 MAC; no PKCS12KDF support.'

Please provide the package NVR for which bug is seen:


dogtag-pki-11.5.0-2.el10.src.rpm
nss-util-3.97.0-1.el10.x86_64
nss-softokn-freebl-3.97.0-1.el10.x86_64
nss-softokn-3.97.0-1.el10.x86_64
nss-3.97.0-1.el10.x86_64
nss-sysinit-3.97.0-1.el10.x86_64
nss-tools-3.97.0-1.el10.x86_64
python3-idm-pki-11.5.0-2.el10.noarch
idm-pki-base-11.5.0-2.el10.noarch
idm-jss-5.5.0-2.el10.x86_64
pki-resteasy-jackson2-provider-3.0.26-29.el10.noarch
idm-jss-tomcat-5.5.0-2.el10.x86_64
pki-resteasy-core-3.0.26-29.el10.noarch
pki-resteasy-client-3.0.26-29.el10.noarch
pki-resteasy-servlet-initializer-3.0.26-29.el10.noarch
idm-pki-java-11.5.0-2.el10.noarch
idm-pki-tools-11.5.0-2.el10.x86_64
idm-pki-server-11.5.0-2.el10.noarch
idm-pki-ca-11.5.0-2.el10.noarch
idm-pki-kra-11.5.0-2.el10.noarch

Steps to reproduce

1. Setup 2 machines i.e master and clone
2. Enable FIPS on both the machines
3. Install Master CA and Clone CA with the below configs:

Master CA:

[DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080

pki_token_password = SECret.123

pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA

pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = SECret.123

pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = 3389

pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa

pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA

pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org

pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA

pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

Clone CA:

[DEFAULT]

pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080

pki_ds_password = SECret.123
pki_ds_ldap_port = 3389

pki_security_domain_hostname=pki1.example.com
pki_security_domain_https_port=20443
pki_security_domain_user=caadmin
pki_security_domain_password=SECret.123

pki_client_database_purge=False
pki_client_pkcs12_password=SECret.123

pki_admin_password=SECret.123
pki_cert_chain_path=/tmp/rootCA.pem

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

pki_clone=True
pki_clone_replicate_schema=True
pki_clone_uri=https://pki1.example.com:20443
pki_clone_pkcs12_path=/tmp/ca_certs.p12
pki_clone_pkcs12_password=SECret.123

[CA]

pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_admin_uid=caadmin

pki_ds_hostname=pki2.example.com
pki_ds_base_dn=o=topology-02-CA-CA
pki_ds_database=topology-02-testingmaster

Reference Doc:
https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA_Clone.md

Expected results

The CA Clone installation should work on FIPS enabled machine. The CA clone installation is working fine on non-FIPS-enabled VMs.

Actual results

The CA Clone installation is failing with the below error:

DEBUG: Command: pki -d /etc/pki/topology-02-CA/alias -C /etc/pki/topology-02-CA/pfile pkcs12-import --pkcs12 /tmp/ca_certs.p12 --password-file /tmp/tmpudnweavi/password.txt --debug
INFO: Certificates in PKCS #12 file:
DEBUG: Command: /usr/lib/jvm/jre-17-openjdk/bin/java -cp /usr/share/pki/lib/* -Dcom.redhat.fips=false -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/topology-02-CA/alias -C /etc/pki/topology-02-CA/pfile --debug pkcs12-cert-find --pkcs12 /tmp/ca_certs.p12 --password-file /tmp/tmpudnweavi/password.txt --debug
INFO: Server URL: https://pki2.example.com:8443
INFO: Loading NSS password from /etc/pki/topology-02-CA/pfile
INFO: NSS database: /etc/pki/topology-02-CA/alias
FINE: Message format: null
FINE: Command: pkcs12-cert-find --pkcs12 /tmp/ca_certs.p12 --password-file /tmp/tmpudnweavi/password.txt --debug
FINE: Module: pkcs12
FINE: Module: cert
FINE: Module: find
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: - subsystemCert cert-topology-02-CA
INFO: - caSigningCert cert-topology-02-CA CA
INFO: - ocspSigningCert cert-topology-02-CA CA
INFO: - auditSigningCert cert-topology-02-CA CA
INFO: Importing CA certificates:
INFO: Importing user certificates:
INFO: - subsystemCert cert-topology-02-CA
INFO: - caSigningCert cert-topology-02-CA CA
INFO: - ocspSigningCert cert-topology-02-CA CA
INFO: - auditSigningCert cert-topology-02-CA CA
DEBUG: Command: /usr/lib/jvm/jre-17-openjdk/bin/java -cp /usr/share/pki/lib/* -Dcom.redhat.fips=false -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/topology-02-CA/alias -C /etc/pki/topology-02-CA/pfile --debug pkcs12-import --pkcs12 /tmp/ca_certs.p12 --password-file /tmp/tmpudnweavi/password.txt --debug subsystemCert cert-topology-02-CA caSigningCert cert-topology-02-CA CA ocspSigningCert cert-topology-02-CA CA auditSigningCert cert-topology-02-CA CA
INFO: Server URL: https://pki2.example.com:8443
INFO: Loading NSS password from /etc/pki/topology-02-CA/pfile
INFO: NSS database: /etc/pki/topology-02-CA/alias
FINE: Message format: null
FINE: Command: pkcs12-import --pkcs12 /tmp/ca_certs.p12 --password-file /tmp/tmpudnweavi/password.txt --debug "subsystemCert cert-topology-02-CA" "caSigningCert cert-topology-02-CA CA" "ocspSigningCert cert-topology-02-CA CA" "auditSigningCert cert-topology-02-CA CA"
FINE: Module: pkcs12
FINE: Module: import
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
Certificates in /etc/pki/topology-02-CA/alias:
DEBUG: Command: certutil -L -d /etc/pki/topology-02-CA/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

subsystemCert cert-topology-02-CA                            u,u,u
caSigningCert cert-topology-02-CA CA                         CTu,Cu,Cu
ocspSigningCert cert-topology-02-CA CA                       u,u,u
auditSigningCert cert-topology-02-CA CA                      u,u,Pu
INFO: Removing /etc/pki/topology-02-CA/pfile
DEBUG: Command: rm -f /etc/pki/topology-02-CA/pfile
ERROR: CalledProcessError: Command '['openssl', 'pkcs12', '-in', '/tmp/ca_certs.p12', '-out', '/etc/pki/topology-02-CA/alias/ca.crt', '-nodes', '-nokeys', '-passin', 'pass:SECret.123']' returned non-zero exit status 1.
  File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 568, in main
    deployer.spawn()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 4965, in spawn
    scriptlet.spawn(self)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 47, in spawn
    deployer.import_clone_pkcs12()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 719, in import_clone_pkcs12
    res_ca = subprocess.check_output(
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 466, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,


Installation failed: Command failed: openssl pkcs12 -in /tmp/ca_certs.p12 -out /etc/pki/topology-02-CA/alias/ca.crt -nodes -nokeys -passin pass:SECret.123
b'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not required.\n'

links to

RHSA-2024:132003 dogtag-pki bug fix and enhancement update

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates