rpms / pki-core

Clone
Source Code
GIT

Files

  1.   f8ded1abb20d8005e2acbdd882aea1bb336e28fd
  2.   SOURCES
  3.   pki-core-fix-issuance-sans-subject-key-ID-ext.patch
Blob Blame History Raw 
From 5f62e2db4a1a9040758a806095e1b4da5d0a0d1d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 6 Oct 2017 11:21:48 +1100
Subject: [PATCH] Fix issuance when CA cert lacks Subject Key ID ext

If the CA signing cert does not have the Subject Key Identifier
extension, issuance of certificates fails. Although such a CA
certificate is not compliant with RFC 5280, this does happen in the
wild, and we previously handled this case by computing the SHA-1
digest of the signing key as a last resort. This behaviour was
removed by 3c43b1119ca978c296a38a9fe404e1c0cdcdab63, breaking cert
issuance in installations with CA certs that lack the SKI extention.

Restore this behaviour.

Fixes: https://pagure.io/dogtagpki/issue/2829
Change-Id: I2f590abe258c0f9405549945b89e3c25c32c2a00
(cherry picked from commit 8ec0cbd1bef372ed50e19f6c5b6332b75209beb0)
(cherry picked from commit 119f4ee0288c1e6e6996847a66f617f04dd42ae6)
---
 base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java
index 635c044..8d5361e 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java
@@ -95,6 +95,6 @@ public abstract class CAEnrollDefault extends EnrollDefault {
                 "CryptoUtil.generateKeyIdentifier returns null");
             return null;
         }
-        return null;
+        return new KeyIdentifier(hash);
     }
 }
-- 
1.8.3.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation