Code Monkey home page Code Monkey logo

Comments (8)

edewata avatar edewata commented on June 12, 2024

I tried creating a CA with SHA384withRSA algorithm, all system certs were created correctly with that algorithm.

Which cert profile does IPA use to create the LDAP Server-Cert?

from pki.

flo-renaud avatar flo-renaud commented on June 12, 2024

The LDAP server cert is created with the profile caIPAserviceCert.

from pki.

edewata avatar edewata commented on June 12, 2024

So far I cannot reproduce the problem in a plain PKI environment. I've created some tests to issue certs using caServerCert profile with different algorithms (see PR #4521).

In all cases the certs were issued with the correct algorithms:

To my understanding there's no significant differences between the profiles in terms of algorithms:

So the problem seems to be specific to IPA. Were there any recent changes in IPA that might have affected this? What changes does IPA make to the CS.cfg that might be related to algorithms? Do you have the CA debug log from the failed test? It's not available from the link above.

from pki.

flo-renaud avatar flo-renaud commented on June 12, 2024

There wasn't any change in IPA related to the signing algorithm. I'm testing with the same IPA version and do one test with pki 11.3.1-1.fc38, the other with pki from the copr repo @pki/master.

With pki 11.3.1-1: the file /etc/pki/pki-tomcat/ca/CS.cfg is created with the following parameters:

ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
ca.signing.defaultSigningAlgorithm=SHA384withRSA

With the copr repo: the file /etc/pki/pki-tomcat/ca/CS.cfg is created with the following parameters:

ca.audit_signing.defaultSigningAlgorithm=SHA256withRSA
ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
ca.signing.defaultSigningAlgorithm=SHA256withRSA
ca.sslserver.defaultSigningAlgorithm=SHA256withRSA
ca.subsystem.defaultSigningAlgorithm=SHA256withRSA

To me it looks like the same call to pkispawn produces 2 different CS.cfg and that is the root cause of my issue.

from pki.

edewata avatar edewata commented on June 12, 2024

I still can't reproduce this in plain PKI environment. I've updated the tests to check those params (see PR #4524) and in all cases they are set to the correct values:

from pki.

edewata avatar edewata commented on June 12, 2024

Could you confirm that the algorithm params for pkispawn in IPA are configured like in the test?
https://github.com/dogtagpki/pki/blob/master/.github/workflows/ca-rsa-test.yml#L54-L72

It would help if we could take a look at the CA debug logs to see what algorithm is actually used and where it came from.

from pki.

flo-renaud avatar flo-renaud commented on June 12, 2024

IPA installer calls pkispawn -s CA -f config_file --debug --log-file log_file with the following config_file:

[CA]
pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert
pki_admin_cert_request_type = pkcs10
pki_admin_dualkey = False
pki_admin_email = root@localhost
pki_admin_name = admin
pki_admin_nickname = ipa-ca-agent
pki_admin_password = XXXXXXXX
pki_admin_subject_dn = cn=ipa-ca-agent,O=IPA.TEST
pki_admin_uid = admin
pki_ajp_host_ipv4 = 127.0.0.1
pki_ajp_host_ipv6 = ::1
pki_ajp_secret = 2JceR0606X6tG1Sm4KuCdau5P8qCzocDklbFtzOZkDJR
pki_audit_group = pkiaudit
pki_audit_signing_key_algorithm = SHA256withRSA
pki_audit_signing_key_size = 2048
pki_audit_signing_key_type = rsa
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_audit_signing_signing_algorithm = SHA256withRSA
pki_audit_signing_subject_dn = cn=CA Audit,O=IPA.TEST
pki_audit_signing_token = internal
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_ca_hostname = master.ipa.test
pki_ca_port = 443
pki_ca_signing_cert_path = /etc/pki/pki-tomcat/external_ca.cert
pki_ca_signing_csr_path = /root/ipa.csr
pki_ca_signing_key_algorithm = SHA256withRSA
pki_ca_signing_key_size = 3072
pki_ca_signing_key_type = rsa
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_record_create = True
pki_ca_signing_serial_number = 1
pki_ca_signing_signing_algorithm = SHA384withRSA
pki_ca_signing_subject_dn = CN=Certificate Authority,O=IPA.TEST
pki_ca_signing_token = internal
pki_ca_starting_crl_number = 0
pki_cert_chain_nickname = caSigningCert External CA
pki_cert_chain_path = /etc/pki/pki-tomcat/external_ca_chain.cert
pki_cert_id_generator = legacy
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_client_database_password = 
pki_client_database_purge = True
pki_client_dir = /root/.dogtag/pki-tomcat
pki_client_pkcs12_password = XXXXXXXX
pki_configuration_path = /etc/pki
pki_default_ocsp_uri = http://ipa-ca.ipa.test/ca/ocsp
pki_dns_domainname = ipa.test
pki_ds_base_dn = o=ipaca
pki_ds_bind_dn = cn=Directory Manager
pki_ds_database = ipaca
pki_ds_hostname = master.ipa.test
pki_ds_ldap_port = 389
pki_ds_ldaps_port = 636
pki_ds_password = XXXXXXXX
pki_ds_remove_data = True
pki_ds_secure_connection = False
pki_ds_secure_connection_ca_nickname = Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt
pki_enable_proxy = True
pki_existing = False
pki_external = False
pki_external_pkcs12_password = 
pki_external_pkcs12_path = 
pki_external_step_two = False
pki_group = pkiuser
pki_hostname = master.ipa.test
pki_hsm_enable = False
pki_hsm_libfile = 
pki_hsm_modulename = 
pki_import_admin_cert = False
pki_instance_configuration_path = /etc/pki/pki-tomcat
pki_instance_name = pki-tomcat
pki_issuing_ca = https://master.ipa.test:443
pki_issuing_ca_hostname = master.ipa.test
pki_issuing_ca_https_port = 443
pki_issuing_ca_uri = https://master.ipa.test:443
pki_master_crl_enable = True
pki_ocsp_signing_key_algorithm = SHA256withRSA
pki_ocsp_signing_key_size = 2048
pki_ocsp_signing_key_type = rsa
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ocsp_signing_signing_algorithm = SHA256withRSA
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=IPA.TEST
pki_ocsp_signing_token = internal
pki_pkcs12_password = 
pki_pkcs12_path = 
pki_profiles_in_ldap = True
pki_random_serial_numbers_enable = False
pki_replica_number_range_end = 100
pki_replica_number_range_start = 1
pki_replication_password = 
pki_request_id_generator = legacy
pki_request_number_range_end = 10000000
pki_request_number_range_start = 1
pki_san_for_server_cert = 
pki_san_inject = False
pki_security_domain_hostname = master.ipa.test
pki_security_domain_https_port = 443
pki_security_domain_name = IPA
pki_security_domain_password = XXXXXXXX
pki_security_domain_user = admin
pki_self_signed_token = internal
pki_serial_number_range_end = 10000000
pki_serial_number_range_start = 1
pki_server_database_password = XXXXXXXX
pki_share_db = False
pki_skip_configuration = False
pki_skip_ds_verify = False
pki_skip_installation = False
pki_skip_sd_verify = False
pki_sslserver_key_algorithm = SHA256withRSA
pki_sslserver_key_size = 2048
pki_sslserver_key_type = rsa
pki_sslserver_nickname = Server-Cert cert-pki-ca
pki_sslserver_subject_dn = cn=master.ipa.test,O=IPA.TEST
pki_sslserver_token = internal
pki_status_request_timeout = 15
pki_subordinate = False
pki_subordinate_create_new_security_domain = False
pki_subsystem = CA
pki_subsystem_key_algorithm = SHA256withRSA
pki_subsystem_key_size = 2048
pki_subsystem_key_type = rsa
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_subsystem_subject_dn = cn=CA Subsystem,O=IPA.TEST
pki_subsystem_token = internal
pki_subsystem_type = ca
pki_theme_enable = True
pki_theme_server_dir = /usr/share/pki/common-ui
pki_token_name = internal
pki_user = pkiuser

from pki.

edewata avatar edewata commented on June 12, 2024

Thanks for the info. Apparently there's a long-standing bug that was never discovered since we probably always tested with the same key & signing algorithms, and it's now affecting IPA due to recent a cleanup that merged some of the code. I've created a PR to fix the bug: #4531

from pki.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.