The pki-server subsystem-cert-validate command fails when dealing with a certificate with a large serial number. This can cause installation failure.
pki-server subsystem-cert-validate
The problem arises because pki.nssdb.NSSDatabase.get_cert_info() uses a regular expression to search for the serial number in the certutil -L output. When the serial number is small it is formatted like:
pki.nssdb.NSSDatabase.get_cert_info()
certutil -L
... Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: ...
But when the serial number is large, it is formatted like:
... Version: 3 (0x2) Serial Number: 48:00:00:00:11:04:b6:f1:74:bd:63:2c:4b:00:00:00 00:00:11 Signature Algorithm: ...
The latter scenario is not handled by the regex and causes a crash:
Traceback (most recent call last): File "/sbin/pki-server", line 116, in <module> cli.execute(sys.argv) File "/sbin/pki-server", line 108, in execute super(PKIServerCLI, self).execute(args) File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python2.7/site-packages/pki/server/cli/subsystem.py", line 952, in execute certs = [subsystem.get_subsystem_cert(cert_id)] File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 157, in get_subsystem_cert return self.create_subsystem_cert_object(cert_id) File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 181, in create_subsystem_cert_object cert_info = nssdb.get_cert_info(nickname) File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 644, in get_cert_info serial = re.search(r'Serial Number.*?(\d+)', cert_details).group(1).strip() AttributeError: 'NoneType' object has no attribute 'group' ERROR: 'NoneType' object has no attribute 'group'
Metadata Update from @ftweedal: - Issue assigned to ftweedal
Gerrit review: https://review.gerrithub.io/#/c/380766/
Metadata Update from @ftweedal: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
Metadata Update from @edewata: - Issue priority set to: blocker - Issue set to the milestone: 10.5
Fixed in master (1daa33b4ff3b5e4ebb80219c1891abb8bbf7fbe9)
Metadata Update from @ftweedal: - Issue priority set to: None (was: blocker) - Issue set to the milestone: None (was: 10.5)
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @vakwetu: - Issue priority set to: major - Issue set to the milestone: 10.5
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.0 (was: 10.5)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.0-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2947
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.