#7904 Performance workarounds for cert-find and related commands regress on corner cases
Opened 5 months ago by ftweedal. Modified 5 months ago

Issue

As captured in review comments at https://github.com/freeipa/freeipa/pull/2990.

Related to: https://pagure.io/freeipa/issue/7835 and https://pagure.io/freeipa/issue/7901. The workarounds implement for #7835
do not handle some edge cases properly. In particular, certificates whose Subject DN does
not contain a CN corresponding to the principal. This can be achieved with a profile modification e.g.

policyset.serverCertSet.1.default.params.name=UID=$request.req_subject_name.cn$, O=EXMAPLE.COM

Comments from the PR are quoted and my further comments follow.

Fraser:

this PR regresses in the subject DN corner case I mentioned above.

We might need to go back to the drawing board on cert-find.

OTOH the scenario that breaks this code is a corner case. It's not the end of the world if we ship this patch as-is. cert-find has a lot of limitations as it is, and this patch may help in the common case.

Christian:

We can either decide to ignore this edge case or somebody has to redesign and rewrite the entire cert_find API. The current implementation doesn't scale at all. Several common cases download all certificates from Dogtag, which puts a lot of stress on 389-DS, Dogtag, and the Python API. The BZ mentions > 100k certs.

I have an idea how to optimize the most critical cases for cert revocation. We can use the fact that host certs, service certs, and user certs are always stored on the host, service, or user LDAP entry. For simple host, service, and user cert search, perform _ldap_search before _ca_search. In _ca_search only retrieve certificates with subject CNs or serial numbers of certs as returned by _ldap_search.

There is one catch: It looks like Dogtag does not support list of serial numbers. :/

My response to above is that certs are not always stored in the principal's userCertificate attribute; it is profile-configurable whether to store the cert on the principal entry or not.

It is also clear that there is no perfect way to determine which certs in Dogtag truly "belong to" some principal. If the certificate is in the userCertificate entry, OK fair enough, we know.

And if the certificate has a KRB5PrincipalName SAN for the principal, OK, fair enough, that's solid - but there is no way to search for that apart from enumerating all certificates. And a cert issued for an IPA principal is not required to have the KRB5 SAN. So we should ignore that case.

My preference is to limit searches for a principal's certificates to exactly those certificates in the principal's userCertificate attribute. Any other heuristic is either (a) prone to false positives (a BIG danger, particularly in revocation case), (b) prone to missing some certificates, (c) not performant with no clear path to making it performant, or some combination of (a) (b) and (c).


There are also some other known issues with cert-find, e.g. the --subject option only searches for CN. Aside from being misleading there is no way to search for other SDN attributes or a whole SDN.

Other related tickets about cert-find or cert-revoke behaviour and performance:


The overall conclusion is that cert-find and related commands need an overhaul, which may include enhancements in Dogtag as well, to enable better / faster searching.


ipa user-mod --rename is another edge case.

Create a user certificate

# openssl genrsa -out /root/testuser1.key
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
................+++++
e is 65537 (0x010001)
# ipa cert-request --csr-profile-id=userCert --principal=testuser1 --private-key=/root/testuser1.key --certificate-out=/tmp/testuser1.pem
  Issuing CA: ipa  
  Certificate: MIIEKDCCAxCgAwIBAgIBFzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtJUEEuRVhBTVBMRTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDQwOTA2NTIzN1oXDTIxMDQwOTA2NTIzN1owKjEUMBIGA1UECgwLSVBBLkVYQU1QTEUxEjAQBgNVBAMMCXRlc3R1c2VyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOar1DMxq9iu9nyKYrWHtJiL5dcJu0fYLJkUnidXFM6FAOlHlLZPuB1Ie+Om/XOlJutdmxcWYmJfRyQhigq1LN/q5jnuU96KscgOeAYns74NlT270pRfW9R4ZEj3JnHfeF/lbkBfIKKbyclEhl8yU5tC+9cfwgHBjyRyvvWOJt19bIkdDx4xKzTGCse/NUKUyXjmb9uWZ1O3Hu6DFw1LPfIXlyJK4Igv8Q8J537CnaIEq/Blr8rRPIg8uglrdzMQgJFl5+TwNv54BF1NijcjxYdfv9G9l5zSien0Zd0xTQCdwqPeJh+/Am+8pimAbJs3WDIx8gBpJ+BlZNoMfO/3470CAwEAAaOCAUswggFHMB8GA1UdIwQYMBaAFHynwdoDyuMroTDSbtXBZgFKL1cCMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5pcGEuZXhhbXBsZS9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYDVR0fBG8wbTBroDOgMYYvaHR0cDovL2lwYS1jYS5pcGEuZXhhbXBsZS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFMSh8AmFYopKBlUF3HKOt3jipcpHMB8GA1UdEQQYMBaBFHRlc3R1c2VyQGlwYS5leGFtcGxlMA0GCSqGSIb3DQEBCwUAA4IBAQAKc0upNK1H50x8DktO0IMo4R6W2SnwQwQOzL/HvD81/NkUAibn6qhyyImBWwQx+klaALb/TSdOvNt+SNodnJg76wg1onTNQX5Y79AEOo3gASBMTDrFEpXopdWAmaJxNEm/t3RUperMXAJfl3gtp/SZwMmS9LJo7tSFRsxT9ZJSWJNBm+bAQmh6IRepBvnkvzG6T6Wa3cVIiE5y14CKCfIMLzWRm5b9bRWQREhAcNQHaE6D8am+4pQdN+2QrMJO5TdQyGmkv5OhUfNIanrt6X+p1gAkcsvYnnGosL4hEgde8TfZVoJk1iZcvN1LSX8nQB+bdH8f1J66yIyJ/Tjl/qUR
  Subject: CN=testuser1,O=IPA.EXAMPLE
  Subject email address: testuser@ipa.example
  Issuer: CN=Certificate Authority,O=IPA.EXAMPLE
  Not Before: Tue Apr 09 06:52:37 2019 UTC
  Not After: Fri Apr 09 06:52:37 2021 UTC
  Serial number: 23
  Serial number (hex): 0x17

cert find for user finds the certificate and prints all metadata

# ipa cert-find --user=testuser1
---------------------
1 certificate matched
---------------------
  Issuing CA: ipa  
  Subject: CN=testuser1,O=IPA.EXAMPLE
  Issuer: CN=Certificate Authority,O=IPA.EXAMPLE
  Not Before: Tue Apr 09 08:52:37 2019 UTC
  Not After: Fri Apr 09 08:52:37 2021 UTC
  Serial number: 23
  Serial number (hex): 0x17
  Status: VALID
  Revoked: False   
----------------------------
Number of entries returned 1
----------------------------

Let's rename the user

# ipa user-mod --rename=testuser10 testuser1
-------------------------
Modified user "testuser1"
-------------------------
  User login: testuser10
  First name: Test 
  Last name: User  
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser10@IPA.EXAMPLE
  Principal alias: testuser10@IPA.EXAMPLE, testuser@IPA.EXAMPLE, testuser1@IPA.EXAMPLE
  Email address: testuser@ipa.example
  UID: 487600001   
  GID: 487600001   
  Certificate: MIIEKDCCAxCgAwIBAgIBFzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtJUEEuRVhBTVBMRTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDQwOTA2NTIzN1oXDTIxMDQwOTA2NTIzN1owKjEUMBIGA1UECgwLSVBBLkVYQU1QTEUxEjAQBgNVBAMMCXRlc3R1c2VyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOar1DMxq9iu9nyKYrWHtJiL5dcJu0fYLJkUnidXFM6FAOlHlLZPuB1Ie+Om/XOlJutdmxcWYmJfRyQhigq1LN/q5jnuU96KscgOeAYns74NlT270pRfW9R4ZEj3JnHfeF/lbkBfIKKbyclEhl8yU5tC+9cfwgHBjyRyvvWOJt19bIkdDx4xKzTGCse/NUKUyXjmb9uWZ1O3Hu6DFw1LPfIXlyJK4Igv8Q8J537CnaIEq/Blr8rRPIg8uglrdzMQgJFl5+TwNv54BF1NijcjxYdfv9G9l5zSien0Zd0xTQCdwqPeJh+/Am+8pimAbJs3WDIx8gBpJ+BlZNoMfO/3470CAwEAAaOCAUswggFHMB8GA1UdIwQYMBaAFHynwdoDyuMroTDSbtXBZgFKL1cCMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5pcGEuZXhhbXBsZS9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYDVR0fBG8wbTBroDOgMYYvaHR0cDovL2lwYS1jYS5pcGEuZXhhbXBsZS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFMSh8AmFYopKBlUF3HKOt3jipcpHMB8GA1UdEQQYMBaBFHRlc3R1c2VyQGlwYS5leGFtcGxlMA0GCSqGSIb3DQEBCwUAA4IBAQAKc0upNK1H50x8DktO0IMo4R6W2SnwQwQOzL/HvD81/NkUAibn6qhyyImBWwQx+klaALb/TSdOvNt+SNodnJg76wg1onTNQX5Y79AEOo3gASBMTDrFEpXopdWAmaJxNEm/t3RUperMXAJfl3gtp/SZwMmS9LJo7tSFRsxT9ZJSWJNBm+bAQmh6IRepBvnkvzG6T6Wa3cVIiE5y14CKCfIMLzWRm5b9bRWQREhAcNQHaE6D8am+4pQdN+2QrMJO5TdQyGmkv5OhUfNIanrt6X+p1gAkcsvYnnGosL4hEgde8TfZVoJk1iZcvN1LSX8nQB+bdH8f1J66yIyJ/Tjl/qUR
  Account disabled: False
  Password: True   
  Member of groups: ipausers
  Member of HBAC rule: allow-testuser-ssh
  Kerberos keys available: True

Now search for testuser1 no longer returns anything -- just like expected

# ipa cert-find --user=testuser1
----------------------
0 certificates matched
----------------------
----------------------------
Number of entries returned 0
----------------------------

Search for testuser10 finds a certificate, but only prints serial number

# ipa cert-find --user=testuser10
---------------------
1 certificate matched
---------------------
  Serial number: 23
  Serial number (hex): 0x17
----------------------------
Number of entries returned 1
----------------------------

Login to comment on this ticket.

Metadata