[Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python

Martin Basti mbasti at redhat.com
Tue Jan 12 11:17:49 UTC 2016 


On 12.01.2016 10:19, Jan Cholasta wrote:
> On 12.1.2016 09:32, Martin Basti wrote:
>>
>>
>> On 07.01.2016 14:13, Jan Cholasta wrote:
>>> On 7.1.2016 09:50, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> the attached patch ports the _ipap11helper module to python-cffi.
>>>>
>>>> Combined with my patch 536 [1], this makes ipapython architecture
>>>> independent.
>>>
>>> Updated patch attached.
>>>
>>>
>>>
>> I tried to run DNSSEC tests and it failed unexpectedly:
>>
>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>> Connected
>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>> replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8',
>> '0xd8538e634797420ca86cda420234443c'])
>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>> replica pub keys in SoftHSM: set(['0x51df7c70b9869a7dd2bbd27335dba3f8',
>> '0x1f7241a64d69ced6c0a14f6999410c59'])
>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>> new replica keys in LDAP: set(['0xd8538e634797420ca86cda420234443c'])
>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>> label=dnssec-replica:replica1.ipa.test.,
>> id=d8538e634797420ca86cda420234443c,
>> data=30820122300d06092a864886f70d01010105
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback (most
>> recent call last):
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in <module>
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]:
>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in
>> ldap2master_replica_keys_sync
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]:
>> localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line
>> 173, in import_public_key
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h =
>> self.p11.import_public_key(**params)
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1498, in
>> import_public_key
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey =
>> d2i_PUBKEY(NULL, data_ptr, data_length)
>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError:
>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3
>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service:
>> Main process exited, code=exited, status=1/FAILURE
>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service:
>> Unit entered failed state.
>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service:
>> Failed with result 'exit-code'.
>>
>> I haven't seen any other errors
>
> Updated patch attached. Added a patch which replaces calls to 
> libcrypto with calls to python-cryptography.
>

[ipa.ipatests.test_integration.host.Host.master.cmd10] Done configuring 
DNS (named).
[ipa.ipatests.test_integration.host.Host.master.cmd10] Configuring DNS 
key synchronization service (ipa-dnskeysyncd)
[ipa.ipatests.test_integration.host.Host.master.cmd10]   [1/7]: checking 
status
[ipa.ipatests.test_integration.host.Host.master.cmd10]   [2/7]: setting 
up bind-dyndb-ldap working directory
[ipa.ipatests.test_integration.host.Host.master.cmd10]   [3/7]: setting 
up kerberos principal
[ipa.ipatests.test_integration.host.Host.master.cmd10]   [4/7]: setting 
up SoftHSM
[ipa.ipatests.test_integration.host.Host.master.cmd10]   [5/7]: adding 
DNSSEC containers
[ipa.ipatests.test_integration.host.Host.master.cmd10]   [6/7]: creating 
replica keys
[ipa.ipatests.test_integration.host.Host.master.cmd10]   [error] Error: 
export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed
[ipa.ipatests.test_integration.host.Host.master.cmd10] 
ipa.ipapython.install.cli.install_tool(Server): ERROR 
export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed
[ipa.ipatests.test_integration.host.Host.master.cmd10] 
ipa.ipapython.install.cli.install_tool(Server): ERROR    The 
ipa-server-install command failed. See /var/log/ipaserver-install.log 
for more information
[ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1

ipa-server-install.log
....
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 436, in run_step
     method()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", 
line 342, in __setup_replica_keys
     public_key_blob = p11.export_public_key(public_key_handle)
   File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 
1275, in export_public_key
     return self._export_RSA_public_key(object)
   File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 
1240, in _export_RSA_public_key
     raise Error("export_RSA_public_key: internal error: "

2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, 
exception: Error: export_RSA_public_key: internal error: 
EVP_PKEY_set1_RSA failed
2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: 
EVP_PKEY_set1_RSA failed

More information about the Freeipa-devel mailing list