#7292 vault: occasional failures to retrieve archived data
Opened 2 years ago by ftweedal. Modified a year ago


Sometimes the vault tests are failing in CI with:

 test_vault_plugin.test_command[0024: vault_retrieve: Retrieve secret from standard vault converted to symmetric vault]

The related part of kra/debug log contains:

[01/Dec/2017:13:19:03][ajp-nio-]: SecurityDataProcessor.archive wrappedSecurityData: M9YykgoPRbw64yb4scickw==
[01/Dec/2017:13:19:03][ajp-nio-]: EncryptionUnit.decryptExternalPrivate
[01/Dec/2017:13:19:03][ajp-nio-]: EncryptionUnit.encryptInternalPrivate
[01/Dec/2017:13:19:03][ajp-nio-]: Failed to create security data to archive: Failed to generate crypto context

It is nondeterministic where this fails. It happens often in CI, but it hard to reproduce
in other environments (I ran test_vault_plugin 100 times on my machine; only two test runs failed).

Steps to Reproduce

  1. Hammer the test_vault_plugin tests.
  2. Keep doing that until a failure is observed.


pki-10.5.1-3; freeipa-4.6.90 (master)

Metadata Update from @ftweedal:
- Issue assigned to ftweedal

2 years ago

The problem may be in JSS or NSS. I cannot find any difference in how the method is called
between invocations that fail and ones that succeed, except that a different 16-byte IV is used,
and a different 128-bit AES key is used (which has just been generated).

Java call stack:

org.mozilla.jss.crypto.TokenException: Failed to generate crypto context                         
        at org.mozilla.jss.pkcs11.PK11Cipher.initContext(Native Method)                          
        at org.mozilla.jss.pkcs11.PK11Cipher.initEncrypt(PK11Cipher.java:98)                     
        at com.netscape.cmsutil.crypto.CryptoUtil.encryptUsingSymmetricKey(CryptoUtil.java:2639) 
        at com.netscape.kra.StorageKeyUnit.encryptInternalPrivate(StorageKeyUnit.java:1116)      
        at com.netscape.kra.SecurityDataProcessor.archive(SecurityDataProcessor.java:237)        
        at com.netscape.kra.SecurityDataService.serviceRequest(SecurityDataService.java:57)      
        at com.netscape.kra.KRAService.serviceRequest(KRAService.java:96)                        
        at com.netscape.cmscore.request.ARequestQueue.stateEngine(ARequestQueue.java:615)        
        at com.netscape.cmscore.request.ARequestQueue.processRequest(ARequestQueue.java:382)     
        at com.netscape.cms.servlet.key.KeyRequestDAO.submitRequest(KeyRequestDAO.java:231)      
        at org.dogtagpki.server.kra.rest.KeyRequestService.archiveKey(KeyRequestService.java:153)

It's happening more often on Travis now.

Metadata Update from @cheimes:
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.6

2 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.6)

2 years ago

Metadata Update from @tdudlak:
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)

2 years ago

Hello, any update on this?

Afraid not. Buried by other issues ATM. Keep prodding :)

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

2 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

2 years ago

Metadata Update from @frenaud:
- Issue tagged with: test-failure, tests

a year ago

Login to comment on this ticket.