#47467 Improve Add CRL/CKL dialog and errors
Closed: Fixed None Opened 6 years ago by nkinder.

Description of problem:
Console provides a Manage certificates window for managing server certificates,
CA certificates and certificate revocation lists. A user should be able to
import CRL from Revoked Certs -> Add menu by specifying a path to CRL. This
currently does not work, even though CRL can be imported from command line.

Steps to Reproduce:
1. Make sure CA certificate is imported in certdb of DS
2. Obtain CRL in DER format:
[jrusnack@dstet ~]$ openssl crl -inform DER -in /myca.crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CZ/L=Brno/O=Redhat Inc.
Last Update: May 24 11:16:40 2013 GMT
Next Update: Jun 23 11:16:40 2013 GMT
CRL extensions:
X509v3 CRL Number:
2
Revoked Certificates:
Serial Number: 01
Revocation Date: May 24 09:51:35 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
2c:01:5d:d4:ac:6d:bf:ce:6e:dd:55:52:30:4d:bc:57:b8:2b:
b5:32:ca:b2:e3:79:32:a4:04:33:82:56:fc:ab:41:74:7d:12:
5a:36:9b:be:b8:6d:86:e0:34:b4:cc:34:8e:05:41:38:3a:47:
e9:3d:e3:19:53:8d:a9:2e:7c:5c:f9:3e:0b:cb:78:71:d1:b9:
c7:d5:64:7b:64:52:76:e0:57:79:0e:2d:e5:1c:fe:22:e1:8f:
c6:4a:44:b2:bb:71:ea:63:3b:6e:14:38:01:8f:30:42:b2:a5:
95:d4:12:e1:34:9f:99:8d:bc:b3:09:8e:39:80:ac:e4:c1:f0:
84:fb:b1:76:79:30:64:80:e7:3f:c9:75:04:7d:df:76:56:23:
31:4e:ba:45:2d:00:58:85:e9:83:6c:66:c7:f0:0d:8b:91:4d:
c2:33:ef:aa:ca:00:12:a4:5c:77:da:a7:b5:91:78:88:c5:ae:
fd:3a:68:c0:74:cb:5a:f2:b8:04:cd:5d:9e:46:1f:95:fb:05:
55:09:61:09:b0:68:1e:81:82:fd:6a:cd:91:ca:1c:5d:e0:ad:
39:f9:c8:bb:a8:a5:3e:6a:22:23:69:51:2b:c7:64:97:29:ac:
9a:66:e5:1e:99:4c:d5:65:50:87:b8:5a:d4:db:9a:df:1a:9b:
8b:3a:44:4e
[jrusnack@dstet ~]$ ls -l /myca.crl
-rwxrwxrwx. 1 jrusnack jrusnack 621 May 24 12:07 /myca.crl

  1. Try to import via console

Enter CRL/CLK file:
/myca.crl
- File contain a Certificate Revocation List (CRL)
File contain a Compromised Key List (CKL)

Error is returned "Could not open file /myca.crl. File does not exist or
filename is invalid.", see the attachment.

  1. Try importing via command line:
    [jrusnack@dstet slapd-dstet]$ crlutil -I -d . -a -t 1 -i /myca.crl
    Enter Password or Pin for "NSS Certificate DB":

All OK

  1. Open Manage Certificates -> Revoked Certs in console:
    imported CRL is present

Actual results:
Import of CRL via console should be successful


The issue here is that the CRL file can only be imported from the directory where the cert/key databases exist. This is mentioned in the on-line help page that is accessed by clicking on the "Help" button on the "Add CRL/CKL" dialog in Console. Here is what the help page states:

{{{Enter CRL/CKL file. Provide the name of the file containing the CRL or CKL. This file must exist in the same directory as your key and cert database.}}}

Only the filename for the CRL/CKL file should be specified in the console. An absolute or relative path does not work. We can improve the validation of the filename to present a more useful error message. We can also improve the text in the dialog so it is clear that you are supposed to only input a CRL/CKL filename that must exist in the certificate database location.

There might still be other issues with CRL/CKL importing, as I am getting errors about an invalid CRL even when I use a correct filename.

The security CGI expects the CRL file to be in PEM format (base64 encoded DER). I was previously trying to import a CRL in DER format, which triggered the "invalid CRL/CKL" message. The "Add CRL/CKL" dialog, on-line help page, and error message should be improved to make it clear that the expected format is PEM.

Screenshot (CRL path error)
console-crlpath-error.png

Screenshot (CRL format error)
cosole-crlformat-error.png

The attached Admin Server patch improves the error messages that are returned by the security CGI. I have attached screenshots that show these new error messages as displayed by Console.

Additional changes are needed to 389-admin-console to improve the online-help, and idm-console-framework to improve the "Add CRL/CKL" dialog.

Screenshot (CRL Dialog)
console-crldialog.png

The attached IDM Console Framework patch improves the text on the "Add CRL/CKL" dialog. The new dialog can be see in the attached screenshot.

The attached 389-admin-console patch improves the online help page that is accessed from the Console.

Thanks to Noriko for her reviews! Patches pushed to master:

Counting objects: 9, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 837 bytes, done.
Total 5 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
4555aff..0de3949 master -> master

Counting objects: 19, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (10/10), 1.46 KiB, done.
Total 10 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/idm-console-framework.git
e043c5b..4d6f8c2 master -> master

Counting objects: 11, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (6/6), 702 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin-console.git
91568bd..9ef26b8 master -> master

git patch file (adminserver master) -- additional fixes to the error messages
0001-Ticket-47467-Improve-Add-CRL-CKL-dialog-and-errors.patch

Thank you for reviewing the patch, Rich!

https://fedorahosted.org/389/attachment/ticket/47467/0001-Ticket-47467-Improve-Add-CRL-CKL-dialog-and-errors.patch

Pushed to master:
a22fbf9..1bece0e master -> master
commit 1bece0e524811a0da8aae5a27c3c130a7e452a4e

Metadata Update from @nkinder:
- Issue assigned to nkinder
- Issue set to the milestone: 389-admin,console 1.1.35

3 years ago

Login to comment on this ticket.

Metadata
Attachments 3