Issue #3005: Installation with external CSR fails - dogtagpki

dogtagpki

#3005 Installation with external CSR fails

Closed: fixed 5 years ago Opened 5 years ago by cheimes.

Installation with external CSR fails, because generate_csr / create_request methods pass str instead of bytes to subprocess. See https://fedorapeople.org/groups/freeipa/prci/jobs/11243180-4c42-11e8-87d9-fa163e63acdb/test_external_ca.py-TestExternalCA--test_external_ca/master.ipa.test/var/log/

018-04-30 06:49:09 pki.nssdb   : DEBUG    Command: certutil -R -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpehzy51ho/password.txt -s CN=Certificate Authority,O=IPA.TEST -o /tmp/tmpehzy51ho/request.bin -z /tmp/tmpehzy51ho/noise.bin -k rsa -g 2048 -Z SHA256 --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical -2
2018-04-30 06:49:09 pkispawn    : DEBUG    ....... Error Type: TypeError
2018-04-30 06:49:09 pkispawn    : DEBUG    ....... Error Message: memoryview: a bytes-like object is required, not 'str'
2018-04-30 06:49:09 pkispawn    : DEBUG    .......   File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 534, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 952, in spawn
    self.generate_system_cert_requests(deployer, nssdb, subsystem)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 353, in generate_system_cert_requests
    self.generate_ca_signing_csr(deployer, nssdb, subsystem)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 177, in generate_ca_signing_csr
    generic_exts=generic_exts
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 124, in generate_csr
    generic_exts=generic_exts)
  File "/usr/lib/python3.6/site-packages/pki/nssdb.py", line 558, in create_request
    p.communicate(keystroke)
  File "/usr/lib64/python3.6/subprocess.py", line 843, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib64/python3.6/subprocess.py", line 1499, in _communicate
    input_view = memoryview(self._input)

cheimes commented 5 years ago

RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1573094

Metadata Update from @cheimes:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

5 years ago

cheimes commented 5 years ago

https://review.gerrithub.io/#/c/dogtagpki/pki/+/409461

Metadata Update from @cheimes:
- Issue priority set to: blocker
- Issue set to the milestone: 10.6

5 years ago

Metadata Update from @cheimes:
- Issue assigned to cheimes

5 years ago

cheimes commented 5 years ago

Fixed in commit f9a48a40491726c6c83bc5e1f624aa550c2a5b8d to master

edewata commented 5 years ago

It looks like the CA signing cert got imported into CS.cfg as binary string:

$ grep ca.signing.cert= /etc/pki/pki-tomcat/ca/CS.cfg
ca.signing.cert=b'<base-64 encoded cert>'

The ca.signing.cert parameter is set in this code:
https://github.com/dogtagpki/pki/blob/d3af85674f76eb2ece82ffb8eacc9a042264e72c/base/server/python/pki/server/deployment/scriptlets/configuration.py#L567

We probably should make sure that NSSDatabase.get_cert() returns a normal string instead of binary string for PEM, base-64, pretty-print formats:
https://github.com/dogtagpki/pki/blob/d3af85674f76eb2ece82ffb8eacc9a042264e72c/base/common/python/pki/nssdb.py#L897

Note: in the future we might want to support DER format for get_cert(), which in that case the output should be binary string.

cheimes commented 5 years ago

Good catch, Endi!

I tried to change the return type first, but I ran into multiple errors in e.g. cert validation. It seems like other places in our code base depend on bytes. Also PyCA cryptography and IPA always treat certs as bytes, even PEM/base64 encoded certs.

I created https://review.gerrithub.io/c/dogtagpki/pki/+/409645 . The PR converts the cert to ASCII text for serialization to JSON or disk. The config writer for CS.cfg now catches unsupported value types like bytes.

With the patch, FreeIPA's external CA feature works.

cheimes commented 5 years ago

https://review.gerrithub.io/c/dogtagpki/pki/+/409645 has landed, too.

@ftweedal thanks for the review!

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.6.1 (was: 10.6)

5 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3123

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

cheimes

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

10.6.1

lowhangingfruit

None

reporter

None

rhbz

None

type

None

version

None

keywords

None

estimate

None

feature

None

origin

None

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

None

proposedmilestone

None

dogtagpki

Source Code

#3005 Installation with external CSR fails Closed: fixed 5 years ago Opened 5 years ago by cheimes.

Metadata

#3005 Installation with external CSR fails

Closed: fixed 5 years ago Opened 5 years ago by cheimes.