Guest

Preview Tool

Cisco Bug: CSCuw41120 - IOS PKI: Temp Self-signed sequence number encoded as signed integer

Last Modified

Sep 27, 2018

Products (95)

  • Cisco IOS
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 861W Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco 812 CiFi Integrated Services Router
  • Cisco C897VA Integrated Services Router
  • Cisco 892W Integrated Services Router
  • Cisco 2951 Integrated Services Router
  • Cisco 898 Secure G.SHDSL EFM/ATM with Multi-Mode 4G LTE ISR Router
  • Cisco 886VAG 3G Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.4(3)M

Description (partial)

Symptom:
When IOS performs Renewal using Temp self-signed certificate (i.e. when the CA does not support Renewal capability):
- Each POLL/Retry causes new temp self-signed cert to be generated, which is in turn used to sign the PKCS#7 Enveloped Data.
- When the sequence number of this temp self-signed cert goes beyond [dec/bin/hex] 127/01111111/0x7F, the first bit in binary becomes 1, hence in order to stay unsigned and not become a negative value we must append an extra byte of 0's. Currently IOS does not do this.

While sending out GetCertInitial messages, the Sequence number is encoded as a signed (negative) integer. 3rd Party [RFC compliant] CAs may respond with a CertRep message containing unsigned sequence number (in the Recipient Info section in the PKCS#7 enveloped data). At this stage, IOS may fail to read the pkcs7 enveloped data.

Conditions:
IOS PKI Client configured to auto-enroll [renew] with a CA that does not support Renewal capability.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.