#9603 ipa-server-install: token_password_file read in kra.install_check after calling hsm_validator in ca.install_check
Closed: fixed 6 months ago by rcritten. Opened 7 months ago by twoerner.

Issue

ipa-server-install: token_password_file read in kra.install_check after calling hsm_validator in ca.install_check

https://github.com/freeipa/freeipa/blob/master/ipaserver/install/ca.py#L366

            hsm_validator(
                options.token_name, options.token_library_path,
                options.token_password)

https://github.com/freeipa/freeipa/blob/master/ipaserver/install/ca.py#L416 (only if replica_config is not None)

        if options.token_password_file:
            with open(options.token_password_file, "r") as fd:
                options.token_password = fd.readline().strip()

https://github.com/freeipa/freeipa/blob/master/ipaserver/install/kra.py#L61

if options.token_password_file:
    with open(options.token_password_file, "r") as fd:
        options.token_password = fd.readline().strip()

https:/https://github.com/freeipa/freeipa/blob/master/ipaserver/install/server/install.py#L733

if setup_ca:
    ca.install_check(False, None, options)
if options.setup_kra:
    kra.install_check(api, None, options)

Should be possible to set token_password_file and token_password at the same time?

It should not be possible to provide both. It should error out if both are set.
password in a file was added well before the hsm_validator function was added and apparently never tested afterwards. That is the source of this issue.

Metadata Update from @rcritten:
- Issue assigned to rcritten

7 months ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-40890 https://issues.redhat.com/browse/RHEL-40892
- Issue priority set to: normal

7 months ago

token_password_file and token_password should be mutually exclusive.

master:

  • 23de845 Re-organize HSM validation to be more consistent/less duplication
  • a11c843 ipatests: tests related to --token-password-file
  • 8d5461b Include token password options in ipa-kra-install man page

Possibly related issue in test_integration/test_hsm.py::TestHSMcertRenewal::test_certs_renewal manifesting in testing_master_latest] Nightly PR #3828 - report

INFO ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:436 GET /usr/share/pki/VERSION DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd65:transport.py:513 RUN ['cat', '/usr/share/pki/VERSION'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd65:transport.py:217 Exit code: 0 INFO ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:427 PUT /tmp/token_password DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd66:transport.py:513 RUN ['tee', '/tmp/token_password'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd66:transport.py:217 Exit code: 0 INFO ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:391 RUN ['/usr/bin/certutil', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/tmp/token_passwd', '-L', '-a', '-n', 'wgzLLMJjPU:ocspSigningCert cert-pki-ca', '-h', 'wgzLLMJjPU'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd67:transport.py:513 RUN ['/usr/bin/certutil', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/tmp/token_passwd', '-L', '-a', '-n', 'wgzLLMJjPU:ocspSigningCert cert-pki-ca', '-h', 'wgzLLMJjPU'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd67:transport.py:557 No password file "/tmp/token_passwd" exists. DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd67:transport.py:557 certutil: could not authenticate to token wgzLLMJjPU.: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd67:transport.py:217 Exit code: 255 ERROR ipatests.pytest_ipa.integration.host.Host.master.cmd67:host.py:201 stderr: No password file "/tmp/token_passwd" exists. certutil: could not authenticate to token wgzLLMJjPU.: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.

ipa-4-12:

  • 7ab1bcb Re-organize HSM validation to be more consistent/less duplication
  • 4ea1ad6 ipatests: tests related to --token-password-file
  • 6c53a22 Include token password options in ipa-kra-install man page

Metadata Update from @frenaud:
- Issue tagged with: test-failure

6 months ago

master:

  • fd5ce0c ipatests: Fix usage of token_password_file

ipa-4-12:

  • f03a96a ipatests: Fix usage of token_password_file

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago

Log in to comment on this ticket.

Metadata