Nightly test failure with @pki/master copr repo

[flo-renaud]

One of the FreeIPA nightly tests is failing with the copr repo @pki/master. The test is installing IPA server with the option --ca-signing-algorithm=SHA384withRSA but the resulting LDAP Server-Cert is created with SHA-256 With RSA Encryption.

See PR #2870, with the following report and logs:

self = <ipatests.test_integration.test_installation.TestInstallwithSHA384withRSA object at 0x7f140eb52c90>
server_cleanup = None

    def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
        tasks.install_master(
            self.master,
            extra_args=['--ca-signing-algorithm=SHA384withRSA'],
        )
    
        # check Signing Algorithm post installation
        dashed_domain = self.master.domain.realm.replace(".", '-')
        cmd_args = ['certutil', '-L', '-d',
                    '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
                    '-n', 'Server-Cert']
        result = self.master.run_command(cmd_args)
>       assert 'SHA-384 With RSA Encryption' in result.stdout_text

Test scenario:

• install IPA server with ipa-server-install -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --ca-signing-algorithm=SHA384withRSA
• check the LDAP server cert with certutil -L -d /etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert
• the output contains Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption but we expect SHA-384

IPA installer calls pkispawn with a configuration file containing pki_ca_signing_signing_algorithm = SHA384withRSA.

The test is failing with dogtag-pki-ca-11.5.0-0.1.alpha1.20230728134901UTC.cb798fce.fc38.noarch (full list of packages available here) but was succeeding last week with dogtag-pki-ca-11.5.0-0.1.alpha1.20230721223657UTC.3e987bc0.fc38.noarch

Companion issue on ipa side: https://pagure.io/freeipa/issue/9423

[edewata]

I tried creating a CA with SHA384withRSA algorithm, all system certs were created correctly with that algorithm.

Which cert profile does IPA use to create the LDAP Server-Cert?

[flo-renaud]

The LDAP server cert is created with the profile caIPAserviceCert.

[edewata]

So far I cannot reproduce the problem in a plain PKI environment. I've created some tests to issue certs using caServerCert profile with different algorithms (see PR #4521).

In all cases the certs were issued with the correct algorithms:

• SHA384withRSA: https://github.com/dogtagpki/pki/actions/runs/5730995154/job/15531172808#step:20:56
• SHA512withRSA/PSS: https://github.com/dogtagpki/pki/actions/runs/5730995154/job/15531172586#step:20:57
• SHA512withEC: https://github.com/dogtagpki/pki/actions/runs/5730995154/job/15531172395#step:20:56

To my understanding there's no significant differences between the profiles in terms of algorithms:

• https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/caServerCert.cfg
• https://github.com/freeipa/freeipa/blob/master/install/share/profiles/caIPAserviceCert.cfg

So the problem seems to be specific to IPA. Were there any recent changes in IPA that might have affected this? What changes does IPA make to the CS.cfg that might be related to algorithms? Do you have the CA debug log from the failed test? It's not available from the link above.

[flo-renaud]

There wasn't any change in IPA related to the signing algorithm. I'm testing with the same IPA version and do one test with pki 11.3.1-1.fc38, the other with pki from the copr repo @pki/master.

With pki 11.3.1-1: the file /etc/pki/pki-tomcat/ca/CS.cfg is created with the following parameters:

ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
ca.signing.defaultSigningAlgorithm=SHA384withRSA

With the copr repo: the file /etc/pki/pki-tomcat/ca/CS.cfg is created with the following parameters:

ca.audit_signing.defaultSigningAlgorithm=SHA256withRSA
ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
ca.signing.defaultSigningAlgorithm=SHA256withRSA
ca.sslserver.defaultSigningAlgorithm=SHA256withRSA
ca.subsystem.defaultSigningAlgorithm=SHA256withRSA

To me it looks like the same call to pkispawn produces 2 different CS.cfg and that is the root cause of my issue.

[edewata]

I still can't reproduce this in plain PKI environment. I've updated the tests to check those params (see PR #4524) and in all cases they are set to the correct values:

• ca.signing.defaultSigningAlgorithm: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:12:211
• ca.ocsp_signing.defaultSigningAlgorithm: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:13:200
• ca.audit_signing.defaultSigningAlgorithm: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:14:182
• ca.subsystem.defaultSigningAlgorithm: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:15:187
• ca.sslserver.defaultSigningAlgorithm: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:16:191

[edewata]

Could you confirm that the algorithm params for pkispawn in IPA are configured like in the test?
https://github.com/dogtagpki/pki/blob/master/.github/workflows/ca-rsa-test.yml#L54-L72

It would help if we could take a look at the CA debug logs to see what algorithm is actually used and where it came from.

[flo-renaud]

IPA installer calls pkispawn -s CA -f config_file --debug --log-file log_file with the following config_file:

[CA]
pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert
pki_admin_cert_request_type = pkcs10
pki_admin_dualkey = False
pki_admin_email = root@localhost
pki_admin_name = admin
pki_admin_nickname = ipa-ca-agent
pki_admin_password = XXXXXXXX
pki_admin_subject_dn = cn=ipa-ca-agent,O=IPA.TEST
pki_admin_uid = admin
pki_ajp_host_ipv4 = 127.0.0.1
pki_ajp_host_ipv6 = ::1
pki_ajp_secret = 2JceR0606X6tG1Sm4KuCdau5P8qCzocDklbFtzOZkDJR
pki_audit_group = pkiaudit
pki_audit_signing_key_algorithm = SHA256withRSA
pki_audit_signing_key_size = 2048
pki_audit_signing_key_type = rsa
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_audit_signing_signing_algorithm = SHA256withRSA
pki_audit_signing_subject_dn = cn=CA Audit,O=IPA.TEST
pki_audit_signing_token = internal
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_ca_hostname = master.ipa.test
pki_ca_port = 443
pki_ca_signing_cert_path = /etc/pki/pki-tomcat/external_ca.cert
pki_ca_signing_csr_path = /root/ipa.csr
pki_ca_signing_key_algorithm = SHA256withRSA
pki_ca_signing_key_size = 3072
pki_ca_signing_key_type = rsa
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_record_create = True
pki_ca_signing_serial_number = 1
pki_ca_signing_signing_algorithm = SHA384withRSA
pki_ca_signing_subject_dn = CN=Certificate Authority,O=IPA.TEST
pki_ca_signing_token = internal
pki_ca_starting_crl_number = 0
pki_cert_chain_nickname = caSigningCert External CA
pki_cert_chain_path = /etc/pki/pki-tomcat/external_ca_chain.cert
pki_cert_id_generator = legacy
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_client_database_password = 
pki_client_database_purge = True
pki_client_dir = /root/.dogtag/pki-tomcat
pki_client_pkcs12_password = XXXXXXXX
pki_configuration_path = /etc/pki
pki_default_ocsp_uri = http://ipa-ca.ipa.test/ca/ocsp
pki_dns_domainname = ipa.test
pki_ds_base_dn = o=ipaca
pki_ds_bind_dn = cn=Directory Manager
pki_ds_database = ipaca
pki_ds_hostname = master.ipa.test
pki_ds_ldap_port = 389
pki_ds_ldaps_port = 636
pki_ds_password = XXXXXXXX
pki_ds_remove_data = True
pki_ds_secure_connection = False
pki_ds_secure_connection_ca_nickname = Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt
pki_enable_proxy = True
pki_existing = False
pki_external = False
pki_external_pkcs12_password = 
pki_external_pkcs12_path = 
pki_external_step_two = False
pki_group = pkiuser
pki_hostname = master.ipa.test
pki_hsm_enable = False
pki_hsm_libfile = 
pki_hsm_modulename = 
pki_import_admin_cert = False
pki_instance_configuration_path = /etc/pki/pki-tomcat
pki_instance_name = pki-tomcat
pki_issuing_ca = https://master.ipa.test:443
pki_issuing_ca_hostname = master.ipa.test
pki_issuing_ca_https_port = 443
pki_issuing_ca_uri = https://master.ipa.test:443
pki_master_crl_enable = True
pki_ocsp_signing_key_algorithm = SHA256withRSA
pki_ocsp_signing_key_size = 2048
pki_ocsp_signing_key_type = rsa
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ocsp_signing_signing_algorithm = SHA256withRSA
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=IPA.TEST
pki_ocsp_signing_token = internal
pki_pkcs12_password = 
pki_pkcs12_path = 
pki_profiles_in_ldap = True
pki_random_serial_numbers_enable = False
pki_replica_number_range_end = 100
pki_replica_number_range_start = 1
pki_replication_password = 
pki_request_id_generator = legacy
pki_request_number_range_end = 10000000
pki_request_number_range_start = 1
pki_san_for_server_cert = 
pki_san_inject = False
pki_security_domain_hostname = master.ipa.test
pki_security_domain_https_port = 443
pki_security_domain_name = IPA
pki_security_domain_password = XXXXXXXX
pki_security_domain_user = admin
pki_self_signed_token = internal
pki_serial_number_range_end = 10000000
pki_serial_number_range_start = 1
pki_server_database_password = XXXXXXXX
pki_share_db = False
pki_skip_configuration = False
pki_skip_ds_verify = False
pki_skip_installation = False
pki_skip_sd_verify = False
pki_sslserver_key_algorithm = SHA256withRSA
pki_sslserver_key_size = 2048
pki_sslserver_key_type = rsa
pki_sslserver_nickname = Server-Cert cert-pki-ca
pki_sslserver_subject_dn = cn=master.ipa.test,O=IPA.TEST
pki_sslserver_token = internal
pki_status_request_timeout = 15
pki_subordinate = False
pki_subordinate_create_new_security_domain = False
pki_subsystem = CA
pki_subsystem_key_algorithm = SHA256withRSA
pki_subsystem_key_size = 2048
pki_subsystem_key_type = rsa
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_subsystem_subject_dn = cn=CA Subsystem,O=IPA.TEST
pki_subsystem_token = internal
pki_subsystem_type = ca
pki_theme_enable = True
pki_theme_server_dir = /usr/share/pki/common-ui
pki_token_name = internal
pki_user = pkiuser

[edewata]

Thanks for the info. Apparently there's a long-standing bug that was never discovered since we probably always tested with the same key & signing algorithms, and it's now affecting IPA due to recent a cleanup that merged some of the code. I've created a PR to fix the bug: #4531