#76 dogtag-ipa-renew-agent-submit returns PEM with unrecommended formatting
Closed 2 years ago Opened 2 years ago by stlaz.

When dogtag-ipa-renew-agent-submit is called to receive a certificate, it returns this certificate as such:

-----BEGIN CERTIFICATE-----
<BASE64-cert>
<newline>
-----END CERTIFICATE-----

While the extra newline does not make the certificate representation invalid, it's highly discouraged by the RFC for the PEM producers to include it in there.

Also, OpenSSL fails to read a PEM certificate which is formatted as such.


This is blocking FreeIPA Python 3 adoption, please add appropriate priority.

I was under the impression you volunteered to look at it which is why I haven't touched it.

I did not yet have time to do it, sorry. I would just like to raise the priority of the issue should I not be able to work on it.

Can you provide more details on reproducing this or what workaround(s) you've put into IPA?

The workaround is to be found in the freeipa/install/certmonger/dogtag-ipa-ca-renew-agent-submit file in the fix_pem() function to be found at https://github.com/freeipa/freeipa/blob/79955189217fec328f2d561a4a1a23ddb29eac44/install/certmonger/dogtag-ipa-ca-renew-agent-submit#L71

To reproduce the issue, simply add a line to the above mentioned script which would extract the retrieved certificate from dogtag-ipa-renew-agent-submit somewhere where you can reach it. A good example to add the line to would be the request_cert() function in the dogtag-ipa-ca-renew-agent-submit script. After that, resubmit the request for the IPA RA certificate using getcert request -i <REQ_NUM> and see what you got.

You can also try to perform openssl x509 -in <yourfile> -text to see the failure or try to use python-cryptography x509.load_pem_x509_certificate() function which should use the same methods the openssl tool uses.

@stlaz I'm still working on where this extra nl is getting inserted but in the meantime you can use os.environ.get('CERTMONGER_CERTIFICATE') to get a valid copy rather than using stdout.

FWIW it looks like dogtag is returning the extra newline:

<base64Cert>-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIBETANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtHUkVZ&#13;
T0FLLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE3MDgx&#13;
NTIwNDMzM1oXDTE5MDgwNTIwNDMzM1owJzEUMBIGA1UECgwLR1JFWU9BSy5DT00x&#13;
DzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB&#13;
ANfaA933CKi6eW1kgG5/daxoT4wFylxVNTFS25/+Khr3wbOEI2jVXfeiDV3VKvKb&#13;
HCfRBmtguWvOuuNNvZgqbPpPsL6QWcWv6luYvQX9YpYB+RSwpPr/hEH/p5/vCE9/&#13;
hWGUmhUBgnfN02P8rZfpPx/BC9slhVdjgj0h9Sp6j9kYyI0WwbqDhXttQYcqDkZX&#13;
oqqJEUIb+8f3aSbk3Q+pwegq/dK9Y17LvVHDCqlwi5aA+5rGr6WjVGj4z1rr3Azc&#13;
Faqj3q/Ynk9LsmvjlliP3ayjT36opueLpmT+SPy00KlPtrg4Uym4Oq+68+RFqCPX&#13;
giX6BYSkv50uWJ0ru9MVG3sCAwEAAaOBkjCBjzAfBgNVHSMEGDAWgBRbQQ+ihvBx&#13;
xFZ4Lymjc0ZTN4EFRDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6&#13;
Ly9pcGEtY2EuZ3JleW9hay5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYD&#13;
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBX&#13;
b9yZ7wye2MbtSMleTM9R9ek0oiPetVsl5KvIgDvfgAAlppoJzrniJXMABk8R2e4b&#13;
gnKcq3K90sBDtmakQ5mA2f7XGXcXFcjOBBdDhMDFVOs4Or09bZPBbKfXgM8kcpFp&#13;
pv8pugvtI3kkoZNcyP4QnrY9pKlzxIm39QDnqKf2WETFNivXvxddH0IO5+ZZEOgK&#13;
nFNBVItd3kNDfJAqDA6guxF75ZIWNvdUfT8vqADR+qvlFPX4jzI8w1yg15VBwVj8&#13;
I6BmO5IInBMwYcz3xY34WBv7oP1OPfnBT8R8R8KbyIPf0hpgCpt47mLxqtQwh8W/&#13;
l9hkZB4rs8z4I7+PnvQI&#13;

-----END CERTIFICATE-----</base64Cert>

@rcritten Thank you so much for discovering this, I was afraid it would be a dogtag issue.

Nalin provided a patch that fixes this in certmonger. We can remove it once dogtag corrects their own output.

master: 5d12514

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Reopening; looks like some lines in tests/019-dparse/run.sh were
missed; the test cases that were added are not being run therefore
the tests are failing.

Uh, I don't have ticket edit permission for certmonger in pagure,
but yeah this should be reopened to fix the failing tests (or just
fix the failing tests ^_^)

Cheers!

It was actually a file missing from dist (tests passed in-tree but
failed during RPM build).

Patch attached.
certmonger-ftweedal-0000-Add-missing-test-input-to-dist.patch

Metadata Update from @rcritten:
- Issue close_status updated to: None (was: fixed)

2 years ago

Login to comment on this ticket.

Metadata