pki-core-10.4.1-17.el7_4

The Public Key Infrastructure (PKI) Core contains fundamental packages required by Asianux Certificate System.

This update fixes the following bugs:

* Previously, an incoming request missing the Common Name (CN) component caused a NullPointerException on the Certificate Authority (CA) because the implementation expected the CN to be present in the subject Distinguished Name (DN) of the CMC. This update allows the CA to handle subject DN without a CN component, preventing the exception from being thrown. (BZ#1485833)

* A previous update to one of the key unwrapping functions introduced a requirement for a key usage parameter which was not being supplied at the call site, which caused lightweight CA key replication to fail. This bug has been fixed by modifying the call site so that it supplies the key usage parameter, and lightweight CA key replication now works as expected. (BZ#1486870)

* A bug in pki-server-upgrade caused it to attempt to locate a nonexistent file. As a consequence, the upgrade process failed to complete, and could possibly leave the PKI deployment in an invalid state. With this update, pki-server-upgrade has been modified to correctly handle cases where target files are missing, and PKI upgrades now work correctly. (BZ#1487509)

* Previously, the Token Processing System (TPS) user interface (tps-cert-find and tps-cert-show) did not display the token type and origin fields which were present in the legacy TPS interface. The interface has been updated and now displays the missing information. (BZ#1491332)

* An earlier change to PKCS #12 password encoding in NSS caused Certificate System to fail to import PKCS #12 files. As a consequence, CA clone installation could not be completed. With this update, PKI will retry a failed PKCS #12 decryption with a different password encoding, which allows it to import PKCS #12 files produced by both old and new versions of NSS, and CA clone installation succeeds. (BZ#1492560)

* Previously, tokens in the "temporarily lost" state did not have their certificates properly revoked when moving to another revocation reason such as "damaged" or "permanently lost". This bug is now fixed, and token certificates are now being correctly revoked in these situations. (BZ#1500499)

* An earlier update to pki-core mistakenly removed a fallback procedure to Issuer Key Identifier. This caused certificate issuance to fail if the CA signing certificate did not have a Subject Key Identifier extension. In this update, the fallback procedure is restored, and certificate issuance now succeeds in cases where the CA signing certificate does not have the SKI extension. (BZ#1502527)

In addition, this update adds the following enhancement:

* This update introduces AES encryption during KRA PKCS #12 recovery of encrypted keys. (BZ#1490241)

Users of pki-core are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.