Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1362312
Description of problem: When retrieving an asymmetric vault with the incorrect private key, you see an internal error: [root@rhel7-1 ~]# ipa vault-retrieve testvault1 --private-key-file=/tmp/key2.prv ipa: ERROR: non-public: ValueError: Decryption failed. Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 137, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipaclient/plugins/vault.py", line 993, in forward encryption_key = decrypt(encrypted_key, private_key=private_key) File "/usr/lib/python2.7/site-packages/ipaclient/plugins/vault.py", line 164, in decrypt label=None File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl /rsa.py", line 538, in decrypt return _enc_dec_rsa(self._backend, self, ciphertext, padding) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl /rsa.py", line 76, in _enc_dec_rsa return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl /rsa.py", line 105, in _enc_dec_rsa_pkey_ctx _handle_rsa_enc_dec_error(backend, key) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl /rsa.py", line 151, in _handle_rsa_enc_dec_error raise ValueError("Decryption failed.") ValueError: Decryption failed. ipa: ERROR: an internal error has occurred Version-Release number of selected component (if applicable): ipa-server-4.4.0-4.el7.x86_64 How reproducible: always Steps to Reproduce: 1. generate 2 sets of keys to test with openssl genrsa -out /tmp/key1.prv 2048 openssl rsa -in /tmp/key1.prv -out /tmp/key1.pub -pubout openssl genrsa -out /tmp/key2.prv 2048 openssl rsa -in /tmp/key2.prv -out /tmp/key2.pub -pubout 2. Create new vault with some content ipa vault-add --type=asymmetric testvault1 --public-key-file=/tmp/key1.pub ipa vault-archive testvault1 --data="U2VjcmV0MTIzCg==" 3. Attempt to retrieve with the unused key file ipa vault-retrieve testvault1 --private-key-file=/tmp/key2.prv Actual results: Internal error and stack trace shown above Expected results: no internal error Additional info: Error message from /var/log/httpd/error_log: [Mon Aug 01 19:05:26.560451 2016] [:error] [pid 5226] ipa: INFO: [jsonserver_session] admin@EXAMPLE.COM: vault_retrieve_internal/1(u'testvault1', session_key='\\xdb\\xb5\\x10\\x93\\xa3 \\xe7\\xb9c\\xa0\\xce@\\xbe\\xdda\\x8a\\xe6\\xa9\\x96\\xfc((\\xe5\\xb4\\x11\\x1 7W\\t\\xbf\\xa2\\x1c)\\xc6\\x98e\\x19\\xf9G\\xfc\\x9f\\xbb\\x1b\\x9c5\\xdb\\xc9 R1\\xa0\\xd4Z\\xb0;\\x1d\\xc4\\xea\\xfeB6>\\x1e\\x8dk\\x11\\xb8\\x91\\xc4\\xfcw l\\x06\\x85.\\xf6\\x89\\x0f\\xa6\\x91\\xe1C"\\x17\\xa4L.\\xf6\\x04\\x8e\\x83\\x fe\\xef\\x07\\x1ca\\x87\\x17>\\x01\\x18\\xe3\\x83G\\xa8\\x93\\xb8\\n(iL\\xc4Ej: \\x17\\xcf/\\xe2&\\xd1\\xf9:GA\\xfe2N\\xf2!\\xf0]\\xfe\\x8d\\xa7\\xc5\\x19"%\\x 8c\\xae\\\\\\xc4JS\\xf5Z#\\xff\\x93\\xc5\\x96\\xf6\\xe0\\xbc\\x1e{\\xa5\\x9e}Y\ \xc91|\\x17\\xec\\xffo>}\\xb9A\\xb3r\\xb3\\xac\\xd4\\xf3\\xf7\\xa1%\\x83\\xd7\\ x1d\\xd0X\\x12C^\\xc9\\xb0\\xe1m\\xac\\xcb\\x00\\x80\\xfa\\xbd\\x17\\xd6\\xfb=\ \x159r\\x1a>\\xcb\\x85B~b}0\\x8d\\xcc\\xab4\\xcc\\xdf\\x9aVp\\x97\\xc6\\xd3\\x9 b\\xbb>\\x0c-`\\x1dB\\xa2\\xae\\xbc\\xb4\\xecY\\x1d\\xabf_\\xecr81\\x90\\x99\\x cfs\\x19\\xdc\\xea\\xed\\x07L', version=u'2.211'): SUCCESS
master:
Metadata Update from @mbasti: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.