#47467 Improve Add CRL/CKL dialog and errors
Closed: Fixed None Opened 6 years ago by nkinder.

Description of problem:
Console provides a Manage certificates window for managing server certificates,
CA certificates and certificate revocation lists. A user should be able to
import CRL from Revoked Certs -> Add menu by specifying a path to CRL. This
currently does not work, even though CRL can be imported from command line.

Steps to Reproduce:
1. Make sure CA certificate is imported in certdb of DS
2. Obtain CRL in DER format:
[jrusnack@dstet ~]$ openssl crl -inform DER -in /myca.crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CZ/L=Brno/O=Redhat Inc.
Last Update: May 24 11:16:40 2013 GMT
Next Update: Jun 23 11:16:40 2013 GMT
CRL extensions:
X509v3 CRL Number:
Revoked Certificates:
Serial Number: 01
Revocation Date: May 24 09:51:35 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
[jrusnack@dstet ~]$ ls -l /myca.crl
-rwxrwxrwx. 1 jrusnack jrusnack 621 May 24 12:07 /myca.crl

  1. Try to import via console

Enter CRL/CLK file:
- File contain a Certificate Revocation List (CRL)
File contain a Compromised Key List (CKL)

Error is returned "Could not open file /myca.crl. File does not exist or
filename is invalid.", see the attachment.

  1. Try importing via command line:
    [jrusnack@dstet slapd-dstet]$ crlutil -I -d . -a -t 1 -i /myca.crl
    Enter Password or Pin for "NSS Certificate DB":

All OK

  1. Open Manage Certificates -> Revoked Certs in console:
    imported CRL is present

Actual results:
Import of CRL via console should be successful

The issue here is that the CRL file can only be imported from the directory where the cert/key databases exist. This is mentioned in the on-line help page that is accessed by clicking on the "Help" button on the "Add CRL/CKL" dialog in Console. Here is what the help page states:

{{{Enter CRL/CKL file. Provide the name of the file containing the CRL or CKL. This file must exist in the same directory as your key and cert database.}}}

Only the filename for the CRL/CKL file should be specified in the console. An absolute or relative path does not work. We can improve the validation of the filename to present a more useful error message. We can also improve the text in the dialog so it is clear that you are supposed to only input a CRL/CKL filename that must exist in the certificate database location.

There might still be other issues with CRL/CKL importing, as I am getting errors about an invalid CRL even when I use a correct filename.

The security CGI expects the CRL file to be in PEM format (base64 encoded DER). I was previously trying to import a CRL in DER format, which triggered the "invalid CRL/CKL" message. The "Add CRL/CKL" dialog, on-line help page, and error message should be improved to make it clear that the expected format is PEM.

Screenshot (CRL path error)

Screenshot (CRL format error)

The attached Admin Server patch improves the error messages that are returned by the security CGI. I have attached screenshots that show these new error messages as displayed by Console.

Additional changes are needed to 389-admin-console to improve the online-help, and idm-console-framework to improve the "Add CRL/CKL" dialog.

Screenshot (CRL Dialog)

The attached IDM Console Framework patch improves the text on the "Add CRL/CKL" dialog. The new dialog can be see in the attached screenshot.

The attached 389-admin-console patch improves the online help page that is accessed from the Console.

Thanks to Noriko for her reviews! Patches pushed to master:

Counting objects: 9, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 837 bytes, done.
Total 5 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
4555aff..0de3949 master -> master

Counting objects: 19, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (10/10), 1.46 KiB, done.
Total 10 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/idm-console-framework.git
e043c5b..4d6f8c2 master -> master

Counting objects: 11, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (6/6), 702 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin-console.git
91568bd..9ef26b8 master -> master

git patch file (adminserver master) -- additional fixes to the error messages

Thank you for reviewing the patch, Rich!


Pushed to master:
a22fbf9..1bece0e master -> master
commit 1bece0e524811a0da8aae5a27c3c130a7e452a4e

Metadata Update from @nkinder:
- Issue assigned to nkinder
- Issue set to the milestone: 389-admin,console 1.1.35

3 years ago

Login to comment on this ticket.

Attachments 3