Issue #3354: ifp: Users.FindByCertificate fails when certificate contains data before encapsilation boundary - sssd

SSSD / sssd

#3354 ifp: Users.FindByCertificate fails when certificate contains data before encapsilation boundary

Closed: Fixed 7 years ago Opened 7 years ago by dkupka.

When openssl is used to export certificate to PEM from PKCS12 it prepends some metadata about certificate to the file. According to RFC 7468 this is allowed but SSSD returns "Invalid certificate format" error.

Data before the encapsulation boundaries are permitted, and parsers MUST NOT malfunction when processing such data. [https://tools.ietf.org/html/rfc7468#section-2]

Steps to reproduce:

# openssl pkcs12 -in tuser.p12 -nokeys -passin pass:"" -out tuser.pem
# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat tuser.pem)"

Actual result:

Error org.freedesktop.DBus.Error.InvalidArgs: Invalid certificate format

Expected result:

Error org.freedesktop.sssd.Error.NotFound: User not found

method return time=1490868128.481856 sender=:1.263 -> destination=:1.268 serial=13 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/example_2ecom/902400001"

Relevant part of sssd_ifp.log

(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.infopipe.Users.FindByCertificate on path /org/freedesktop/sssd/infopipe/Users
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sbus_get_sender_id_send] (0x2000): Looking for identity of sender [:1.266]
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sbus_add_timeout] (0x2000): 0x564940797910
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sbus_remove_timeout] (0x2000): 0x564940797910
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sbus_dispatch] (0x4000): dbus conn: 0x564940779690
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sss_cert_pem_to_der] (0x0020): Wrong PEM header.
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sss_cert_pem_to_derb64] (0x0040): sss_cert_pem_to_der failed.
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [ifp_users_find_by_cert] (0x0040): sss_cert_pem_to_derb64 failed.
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sbus_dispatch] (0x4000): dbus conn: 0x564940779690
(Thu Mar 30 12:00:48 2017) [sssd[ifp]] [sbus_dispatch] (0x4000): Dispatching.

Additional info:
The same errors is affects ListByCertificate and FindByNameAndCertificate methods.

dkupka commented 7 years ago

Attaching sample certificate to ease reproducing of the issue:

Bag Attributes
    friendlyName: tuser
    localKeyID: 44 E7 77 D7 D6 42 5E A9 66 81 7C FD B9 31 F0 30 94 E4 04 7B
subject=/CN=tuser
issuer=/CN=tuser
-----BEGIN CERTIFICATE-----
MIICsTCCAZmgAwIBAgIFAKl+F68wDQYJKoZIhvcNAQELBQAwEDEOMAwGA1UEAxMF
dHVzZXIwHhcNMTcwMzMwMTExMDI2WhcNMTcwNjMwMTExMDI2WjAQMQ4wDAYDVQQD
EwV0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAfscSKsJ3Z
iYjNv8VQNqOuSshbYKEFOekb/oHcuVnOTkLxDHLbUat64rJg0BU9uZUuXXaoWqGf
JME9/9xbH9cXHQaCmj7cSQHnhhBE5zkXJeRvxpg+av9A2kCQLaI0PyVRH6s/4jcU
LAzw8jdkN+laaVyhqqFTmR9MpKuj2FTk9mjFvg8PIPdccU8n/A3HIFuzDSJBUTRO
Ouggn9ouPIXgyUnCFkVMEfnhQ78vnHnEr8FeogoqYrnpKcFQcP6Sjh+ObdTQlH8i
5FVOjkPKlUmdTnAvqBLyyM88QVhB5Q4pdyxSXHxZLa4MNhtX70cPzcbC5HlWKyn/
t6isYc+fHGcCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUA
A4IBAQDKcU4+M8To+5NL8O/WDRe6M5+x2ZKTjna3NOVCjDCDVjU3okwTpP0ErT6h
GFp1UkUrf9QZKF8NR8HbqOyb8J6GmkbNkBv3/wrOkT46JfKhhc4fXO7OV5jAK9Lg
M0vSH0lV1fUZ6XnEECDp0Tfw8qr1KSG2/D6XbUrDdoFIGcRdQ8mwUipd5kR/8aJ5
MMSKP2zGVcs/AAwGXwROhRoa97iwfFcvio5h+nNHAJFr/U49P6M9SvN20QbUgthp
+cDLo2e/GvD6KTf7vZa4aaFuVEVbv8VaO5oKxHlc7S6O5gPtfO8Wrqbt6F942f1Q
FwI5VMNued6bxzn58TuKEy/ujAIs
-----END CERTIFICATE-----

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet)

7 years ago

dkupka commented 7 years ago

Since the ticket was triaged for 'Never unless contributed' milestone and I believe the fix is easy I took the opportunity and spent nice hour with SSSD: https://github.com/SSSD/sssd/pull/221

lslebodn commented 7 years ago

master:

5231ba6

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.3 (was: SSSD Future releases (no date set yet))
- Issue status updated to: Closed (was: Open)

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4384

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

SSSD 1.15.3

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

None

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3354 ifp: Users.FindByCertificate fails when certificate contains data before encapsilation boundary Closed: Fixed 7 years ago Opened 7 years ago by dkupka.

Metadata

#3354 ifp: Users.FindByCertificate fails when certificate contains data before encapsilation boundary

Closed: Fixed 7 years ago Opened 7 years ago by dkupka.