freeipa

Clone
Source Code
GIT

#6700 API cret_request fails on incorrect DER format using openssl
Closed: wontfix 5 years ago by rcritten. Opened 7 years ago by lvg01.

Closed: wontfix
Reopen Issue

The api fails with

Traceback (most recent call last):
  File "./t", line 61, in <module>
    rec = api.Command['cert_request'](principal=principal, csr=csr)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 440, in __call__
    self.validate(**params)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 720, in validate
    param.validate(value, self.env.context, supplied=param.name in kw)
  File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 837, in validate
    self._validate_scalar(value)
  File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 849, in _validate_scalar
    error = rule(ugettext, value)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 157, in validate_csr
    raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request: %s') % e)
ipalib.errors.CertificateOperationError: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.

The code used is: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/env python

import os
from ipapython import ipautil
from ipalib import api, pkcs10
from OpenSSL import crypto

user = 'user'
password = 'password'
service = 'TEST'

#
#
#

node = os.uname()[1]
principal = unicode('{0}/{1}'.format(service, node))

# Kerberos Initialisation
ipautil.kinit_password(user, password, 'KEYRING:persistent:{0}:{1}'.format(os.getuid(),os.getgid()))

# API Bootstrap
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.rpcclient.connect()

try:
    rec = api.Command['service_show'](principal)
except errors.NotFound:
    rec = api.Command['service_add'](principal, subject=unicode(node))

if 'usercertificate' in rec['result']:
    print rec['result']['usercertificate']
else:
    # Create Private key
    key = crypto.PKey()
    key.generate_key(crypto.TYPE_RSA, 2048)
    pkey=unicode(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
    print pkey

    # Create request
    req = crypto.X509Req()
    req.get_subject().CN = node
    req.get_subject().countryName = 'NL'
    req.get_subject().stateOrProvinceName = 'Province'
    req.get_subject().localityName = 'Locality'
    req.get_subject().organizationName = 'Organization'
    req.get_subject().organizationalUnitName = 'Unit'
    x509_extensions = ([
        crypto.X509Extension("keyUsage", False, "Digital Signature, Non Repudiation, Key Encipherment"),
        crypto.X509Extension("basicConstraints", False, "CA:FALSE"),
    ])
    x509_extensions.append(crypto.X509Extension("subjectAltName", False, ', '.join([ 'DNS: {0}'.format(node) ])))
    req.add_extensions(x509_extensions)
    req.set_pubkey(key)
    req.sign(key, "sha512")
    csr = unicode(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
    print csr

    # Request
    rec = api.Command['cert_request'](principal=principal, csr=csr)

rec = api.Command['service_show'](u'TEST/repo2.zm1.odcnoord.nl')
certificates = rec['result']['usercertificate']
for certificate in certificates:
    #cert = crypto.dump_certificate(crypto.FILETYPE_PEM, certificate)
    cert = crypto.dump_certificate(crypto.FILETYPE_PEM, crypto.load_certificate(crypto.FILETYPE_ASN1, certificate))
    print cert

For some reason the OpenSSL library doesn't create the format IPA can read...

It seems IPA only accepts the publickey while with OpenSSL.crypto i send a keypair. The documented function OpenSSL.crypto.dump_publickey doesn exist on my Centos 7.3 system so there is no way to get this to work....

Metadata Update from @lvg01:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

That traceback does not look like v4.4. What is the precise server version and platform?

Excuse me, the traceback posted earlier was from an erlier test with ipa 4.2. Here is the correct traceback:

Traceback (most recent call last):
  File "./test", line 105, in <module>
    rec = api.Command['cert_request'](principal=principal, csr=csr)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 823, in forward
     *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 986, in forward
    return self._call_command(command, params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 967, in _call_command
    return command(*params)
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1117, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1111, in __request
    raise error_class(**kw)
ipalib.errors.CertificateOperationError: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.

Current versions are:

$ uname -a
Linux repo2.zm1.odcnoord.nl 3.10.0-327.36.2.el7.x86_64 #1 SMP Mon Oct 10 23:08:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
Edited 7 years ago by lvg01

Metadata Update from @lvg01:
- Issue close_status updated to: None
7 years ago

@lvg01 that is the client traceback. Do you have the server traceback for v4.4?
Or if not please provide the precise server version and platform.

I don't have the traceback on the server,

rpm -q ipa-server kernel

ipa-server-4.4.0-14.el7.centos.4.x86_64
kernel-3.10.0-514.6.1.el7.x86_64

Complete list:

yum history info 13

Loaded plugins: fastestmirror
Transaction ID : 13
Begin time : Mon Feb 6 14:53:06 2017
Begin rpmdb : 473:eeaa197ecd0bc22b1b491c881b6b44ea4d6cc605
End time : 14:55:44 2017 (158 seconds)
End rpmdb : 580:8896ce9302d384f259067bb3508a6f44714026f7
User : root <root>
Return-Code : Success
Command Line : install ipa-server
Transaction performed with:
Installed rpm-4.11.3-21.el7.x86_64 @base
Installed yum-3.4.3-150.el7.centos.noarch @base
Installed yum-plugin-fastestmirror-1.1.31-40.el7.noarch @base
Packages Altered:
Dep-Install 389-ds-base-1.3.5.10-15.el7_3.x86_64 @updates
Dep-Install alsa-lib-1.1.1-1.el7.x86_64 @base
Dep-Install antlr-tool-2.7.7-30.el7.noarch @base
Dep-Install apache-commons-cli-1.2-13.el7.noarch @base
Dep-Install apache-commons-codec-1.8-7.el7.noarch @base
Dep-Install apache-commons-collections-3.2.1-22.el7_2.noarch @base
Dep-Install apache-commons-daemon-1.0.13-6.el7.x86_64 @base
Dep-Install apache-commons-dbcp-1.4-17.el7.noarch @base
Dep-Install apache-commons-io-1:2.4-12.el7.noarch @base
Dep-Install apache-commons-lang-2.6-15.el7.noarch @base
Dep-Install apache-commons-logging-1.1.2-7.el7.noarch @base
Dep-Install apache-commons-pool-1.6-9.el7.noarch @base
Dep-Install args4j-2.0.16-13.el7.noarch @base
Dep-Install avahi-libs-0.6.31-17.el7.x86_64 @base
Dep-Install avalon-framework-4.3-10.el7.noarch @base
Dep-Install avalon-logkit-2.1-14.el7.noarch @base
Dep-Install bcel-5.2-18.el7.noarch @base
Dep-Install codemodel-2.6-9.el7.noarch @base
Dep-Install cups-libs-1:1.6.3-26.el7.x86_64 @base
Dep-Install custodia-0.1.0-4.el7.noarch @base
Dep-Install dbus-glib-0.100-7.el7.x86_64 @base
Dep-Install dbus-python-1.1.1-9.el7.x86_64 @base
Dep-Install dom4j-1.6.1-20.el7.noarch @base
Dep-Install easymock2-2.5.2-12.el7.noarch @base
Dep-Install geronimo-jms-1.1.1-19.el7.noarch @base
Dep-Install geronimo-jta-1.1.1-17.el7.noarch @base
Dep-Install glassfish-dtd-parser-1.2-0.8.20120120svn.el7.noarch @base
Dep-Install glassfish-fastinfoset-1.2.12-9.el7.noarch @base
Dep-Install glassfish-jaxb-2.2.5-6.el7.noarch @base
Dep-Install glassfish-jaxb-api-2.2.7-4.el7.noarch @base
Dep-Install hamcrest-1.3-6.el7.noarch @base
Dep-Install hsqldb-1:1.8.1.3-14.el7.noarch @base
Dep-Install httpcomponents-client-4.2.5-5.el7_0.noarch @base
Dep-Install httpcomponents-core-4.2.4-6.el7.noarch @base
Dep-Install ipa-admintools-4.4.0-14.el7.centos.4.noarch @updates
Dep-Install ipa-client-4.4.0-14.el7.centos.4.x86_64 @updates
Dep-Install ipa-client-common-4.4.0-14.el7.centos.4.noarch @updates
Dep-Install ipa-common-4.4.0-14.el7.centos.4.noarch @updates
Install ipa-server-4.4.0-14.el7.centos.4.x86_64 @updates
Dep-Install ipa-server-common-4.4.0-14.el7.centos.4.noarch @updates
Dep-Install isorelax-1:0-0.15.release20050331.el7.noarch @base
Dep-Install istack-commons-2.17-4.el7.noarch @base
Dep-Install jackson-1.9.4-7.el7.noarch @base
Dep-Install jakarta-commons-httpclient-1:3.1-16.el7_0.noarch @base
Dep-Install java-1.8.0-openjdk-1:1.8.0.121-0.b13.el7_3.x86_64 @updates
Dep-Install javamail-1.4.6-8.el7.noarch @base
Dep-Install javassist-3.16.1-10.el7.noarch @base
Dep-Install jaxen-1.1.3-11.el7.noarch @base
Dep-Install jboss-annotations-1.1-api-1.0.1-0.6.20120212git76e1a2.el7.noarch @base
Dep-Install jdom-1.1.3-6.el7.noarch @base
Dep-Install jing-20091111-14.el7.noarch @base
Dep-Install joda-convert-1.3-5.el7.noarch @base
Dep-Install joda-time-2.2-3.tzdata2013c.el7.noarch @base
Dep-Install jsr-311-1.1.1-6.el7.noarch @base
Dep-Install jss-4.2.6-42.el7.x86_64 @base
Dep-Install junit-4.11-8.el7.noarch @base
Dep-Install ldapjdk-4.18-16.el7_3.noarch @updates
Dep-Install libsmbclient-4.4.4-12.el7_3.x86_64 @updates
Dep-Install libwbclient-4.4.4-12.el7_3.x86_64 @updates
Dep-Install log4j-1.2.17-15.el7.noarch @base
Dep-Install msv-msv-1:2013.5.1-7.el7.noarch @base
Dep-Install msv-xsdlib-1:2013.5.1-7.el7.noarch @base
Dep-Install objectweb-asm-3.3.1-9.el7.noarch @base
Dep-Install pki-base-10.3.3-16.el7_3.noarch @updates
Dep-Install pki-base-java-10.3.3-16.el7_3.noarch @updates
Dep-Install pki-ca-10.3.3-16.el7_3.noarch @updates
Dep-Install pki-kra-10.3.3-16.el7_3.noarch @updates
Dep-Install pki-server-10.3.3-16.el7_3.noarch @updates
Dep-Install pki-tools-10.3.3-16.el7_3.x86_64 @updates
Dep-Install python-custodia-0.1.0-4.el7.noarch @base
Dep-Install python-decorator-3.4.0-3.el7.noarch @base
Dep-Install python-gssapi-1.2.0-2.el7.x86_64 @base
Dep-Install python-jwcrypto-0.2.1-1.el7.noarch @base
Dep-Install python-netifaces-0.10.4-3.el7.x86_64 @base
Dep-Install python-setuptools-0.9.8-4.el7.noarch @base
Dep-Install python2-ipaclient-4.4.0-14.el7.centos.4.noarch @updates
Dep-Install python2-ipalib-4.4.0-14.el7.centos.4.noarch @updates
Dep-Install python2-ipaserver-4.4.0-14.el7.centos.4.noarch @updates
Dep-Install qdox-1.12.1-10.el7.noarch @base
Dep-Install regexp-1.5-13.el7.noarch @base
Dep-Install resteasy-base-atom-provider-3.0.6-4.el7.noarch @base
Dep-Install resteasy-base-client-3.0.6-4.el7.noarch @base
Dep-Install resteasy-base-jackson-provider-3.0.6-4.el7.noarch @base
Dep-Install resteasy-base-jaxb-provider-3.0.6-4.el7.noarch @base
Dep-Install resteasy-base-jaxrs-3.0.6-4.el7.noarch @base
Dep-Install resteasy-base-jaxrs-api-3.0.6-4.el7.noarch @base
Dep-Install rngom-201103-0.8.20120119svn.el7.noarch @base
Dep-Install samba-client-libs-4.4.4-12.el7_3.x86_64 @updates
Dep-Install samba-common-4.4.4-12.el7_3.noarch @updates
Dep-Install scannotation-1.0.3-0.7.r12.el7.noarch @base
Dep-Install slapi-nis-0.56.0-4.el7.x86_64 @base
Dep-Install sssd-1.14.0-43.el7_3.11.x86_64 @updates
Dep-Install sssd-ad-1.14.0-43.el7_3.11.x86_64 @updates
Dep-Install sssd-common-pac-1.14.0-43.el7_3.11.x86_64 @updates
Dep-Install sssd-ipa-1.14.0-43.el7_3.11.x86_64 @updates
Dep-Install stax-ex-1.7.1-6.el7.noarch @base
Dep-Install tomcat-7.0.69-10.el7.noarch @base
Dep-Install tomcat-lib-7.0.69-10.el7.noarch @base
Dep-Install tomcatjss-7.1.2-3.el7.noarch @base
Dep-Install txw2-20110809-8.el7.noarch @base
Dep-Install velocity-1.7-10.el7.noarch @base
Dep-Install ws-jaxme-0.5.2-10.el7.noarch @base
Dep-Install xalan-j2-2.7.1-23.el7.noarch @base
Dep-Install xerces-j2-2.11.0-17.el7_0.noarch @base
Dep-Install xml-commons-apis-1.4.01-16.el7.noarch @base
Dep-Install xml-commons-resolver-1.2-15.el7.noarch @base
Dep-Install xpp3-1.1.3.8-11.el7.noarch @base

Triage notes: the command can be extended to accept both formats

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue set to the milestone: FreeIPA 4.7 (was: 0.0 NEEDS_TRIAGE)
7 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Certificate management
None
None
api cert_request
None
None
None
None
wanted
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.