Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1686051 - issue in selfserv when two server nicknames are used [rhel-8]
Summary: issue in selfserv when two server nicknames are used [rhel-8]
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nss
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: nss-nspr-maint
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1698376
TreeView+ depends on / blocked
 
Reported: 2019-03-06 15:37 UTC by Ondrej Moriš
Modified: 2019-04-10 09:26 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1698376 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Mozilla Foundation 1543175 None None None 2019-04-16 11:46:21 UTC

Description Ondrej Moriš 2019-03-06 15:37:31 UTC
Description of problem:

When selfserv is started with two server certificates (eg. one of them serving rsa-pss keys and another rsa-pss-rsae) - ie. when selfserv is started and nickname parameter (-n) is given twice (-n server-rsa -n server-rsa-pss) then selfserv behaves exactly as if the second nickname is not given or it is ignored. When I switch the nicknames it again behaves as if the second one is ignored. 

Version-Release number of selected component (if applicable):

nss-3.41.0-5.el8

How reproducible:

100%

Steps to Reproduce:

1. Create CA (ca nickname) and two sets of server keys - RSA (server-rsa nickname) and RSA-PSS (server-rsa-pss nickname) and store all of it in NSS DB .

2. Start selfserv using both server key pairs:
   # /usr/lib64/nss/unsupported-tools/selfserv -d sql:./pss-srv-db -p 4433 -n server-rsa-pss -n server-rsa  -J rsa_pkcs1_sha1,rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,ecdsa_sha1,ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,ecdsa_secp521r1_sha512,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512 

3. Run tlsfuzzer test tlsfuzzer/scripts/test-sig-algs.py

Actual results:

Order of nicknames matters - output of fuzzing is different when server-rsa is in the first place and when it is in the second place:

a) -n server-rsa-pss -n server-rsa

Test end
successful: 14
failed: 3
  'rsa_pss_rsae_sha256 only'
  'rsa_pss_rsae_sha384 only'
  'rsa_pss_rsae_sha512 only'

b) -n server-rsa -n server-rsa-pss

Test end
successful: 14
failed: 3
  'rsa_pss_pss_sha256 only'
  'rsa_pss_pss_sha384 only'
  'rsa_pss_pss_sha512 only'

Expected results:

All tests passed.

Additional info:


Note You need to log in before you can comment on or make changes to this bug.