エラータID: AXBA:2017-2467:08

2017/12/11 Monday - 12:31
Asianux Server 7 for x86_64

The Public Key Infrastructure (PKI) Core contains fundamental packages required by Asianux Certificate System.

This update fixes the following bugs:

* Previously, an incoming request missing the Common Name (CN) component caused a NullPointerException on the Certificate Authority (CA) because the implementation expected the CN to be present in the subject Distinguished Name (DN) of the CMC. This update allows the CA to handle subject DN without a CN component, preventing the exception from being thrown. (BZ#1485833)

* A previous update to one of the key unwrapping functions introduced a requirement for a key usage parameter which was not being supplied at the call site, which caused lightweight CA key replication to fail. This bug has been fixed by modifying the call site so that it supplies the key usage parameter, and lightweight CA key replication now works as expected. (BZ#1486870)

* A bug in pki-server-upgrade caused it to attempt to locate a nonexistent file. As a consequence, the upgrade process failed to complete, and could possibly leave the PKI deployment in an invalid state. With this update, pki-server-upgrade has been modified to correctly handle cases where target files are missing, and PKI upgrades now work correctly. (BZ#1487509)

* Previously, the Token Processing System (TPS) user interface (tps-cert-find and tps-cert-show) did not display the token type and origin fields which were present in the legacy TPS interface. The interface has been updated and now displays the missing information. (BZ#1491332)

* An earlier change to PKCS #12 password encoding in NSS caused Certificate System to fail to import PKCS #12 files. As a consequence, CA clone installation could not be completed. With this update, PKI will retry a failed PKCS #12 decryption with a different password encoding, which allows it to import PKCS #12 files produced by both old and new versions of NSS, and CA clone installation succeeds. (BZ#1492560)

* Previously, tokens in the "temporarily lost" state did not have their certificates properly revoked when moving to another revocation reason such as "damaged" or "permanently lost". This bug is now fixed, and token certificates are now being correctly revoked in these situations. (BZ#1500499)

* An earlier update to pki-core mistakenly removed a fallback procedure to Issuer Key Identifier. This caused certificate issuance to fail if the CA signing certificate did not have a Subject Key Identifier extension. In this update, the fallback procedure is restored, and certificate issuance now succeeds in cases where the CA signing certificate does not have the SKI extension. (BZ#1502527)

In addition, this update adds the following enhancement:

* This update introduces AES encryption during KRA PKCS #12 recovery of encrypted keys. (BZ#1490241)

Users of pki-core are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.


Update packages.




  1. pki-core-10.4.1-17.el7_4.src.rpm
    MD5: d275b82c3fa272e78b0857eb42fb099f
    SHA-256: 4c02188baab29b015d261bb9e06ec2b7068c5b25351993fdc1d009c9509bdd7a
    Size: 4.78 MB

Asianux Server 7 for x86_64
  1. pki-base-10.4.1-17.el7_4.noarch.rpm
    MD5: 3d7d00c54870e67b55f8a071209f3cd3
    SHA-256: 1188f461ea2797fc3b3a4b5210b83d2b5bde9dcab16437347645433d87fca5eb
    Size: 394.38 kB
  2. pki-base-java-10.4.1-17.el7_4.noarch.rpm
    MD5: fe87f454f138744eaea4bd6d8c7aa8a2
    SHA-256: 64c52db79704ed553f749c169964e6a0c09bf471199e87bc72490aea6fa62109
    Size: 1.14 MB
  3. pki-ca-10.4.1-17.el7_4.noarch.rpm
    MD5: 5206bef56dd10571793a5357f1738b56
    SHA-256: 02e8cc4c1e6cfdf0b9679f1373d6a6fe6369d97974bd76209e74ce376a43f86c
    Size: 447.83 kB
  4. pki-kra-10.4.1-17.el7_4.noarch.rpm
    MD5: 018b89ab777bae86be8193816c40c6ee
    SHA-256: a95df26036f9b6d908b20833e0b1943740bbd6cb3784f6f109d52abdbcaa8394
    Size: 274.80 kB
  5. pki-server-10.4.1-17.el7_4.noarch.rpm
    MD5: 66238cd7451ed6c41baa46499b931cc3
    SHA-256: 4209f5238dbe433773dc49754ecbdbfdda538283495dbb0cacdb26a6c3078990
    Size: 2.79 MB
  6. pki-symkey-10.4.1-17.el7_4.x86_64.rpm
    MD5: 773d4c3a6d940d9cbd289c54ba54bfdb
    SHA-256: 860991856ec53b1fd23c843059c2b7c1fe9e6b9fb4a904c54739246cc873ac7f
    Size: 134.95 kB
  7. pki-tools-10.4.1-17.el7_4.x86_64.rpm
    MD5: cda180c3bf89e5b476b418cb2a8b0baa
    SHA-256: efcde6b5af6b49d62524ac7f0295fac219e49ec0bad469aab1eaebdcc55d31b1
    Size: 675.00 kB