[Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python
Martin Basti
mbasti at redhat.com
Wed Jan 20 12:51:37 UTC 2016
On 19.01.2016 11:43, Jan Cholasta wrote:
> On 12.1.2016 16:06, Martin Basti wrote:
>>
>>
>> On 12.01.2016 14:44, Jan Cholasta wrote:
>>> On 12.1.2016 13:32, Martin Basti wrote:
>>>>
>>>>
>>>> On 12.01.2016 12:24, Jan Cholasta wrote:
>>>>> On 12.1.2016 12:17, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 12.01.2016 10:19, Jan Cholasta wrote:
>>>>>>> On 12.1.2016 09:32, Martin Basti wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 07.01.2016 14:13, Jan Cholasta wrote:
>>>>>>>>> On 7.1.2016 09:50, Jan Cholasta wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> the attached patch ports the _ipap11helper module to
>>>>>>>>>> python-cffi.
>>>>>>>>>>
>>>>>>>>>> Combined with my patch 536 [1], this makes ipapython
>>>>>>>>>> architecture
>>>>>>>>>> independent.
>>>>>>>>>
>>>>>>>>> Updated patch attached.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> I tried to run DNSSEC tests and it failed unexpectedly:
>>>>>>>>
>>>>>>>> Jan 12 08:28:06 master.ipa.test
>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>>>>>>> Connected
>>>>>>>> Jan 12 08:28:06 master.ipa.test
>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>>>>>>> replica pub keys in LDAP:
>>>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8',
>>>>>>>> '0xd8538e634797420ca86cda420234443c'])
>>>>>>>> Jan 12 08:28:06 master.ipa.test
>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>>>>>>> replica pub keys in SoftHSM:
>>>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8',
>>>>>>>> '0x1f7241a64d69ced6c0a14f6999410c59'])
>>>>>>>> Jan 12 08:28:06 master.ipa.test
>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>>>>>>> new replica keys in LDAP:
>>>>>>>> set(['0xd8538e634797420ca86cda420234443c'])
>>>>>>>> Jan 12 08:28:06 master.ipa.test
>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>>>>>>> label=dnssec-replica:replica1.ipa.test.,
>>>>>>>> id=d8538e634797420ca86cda420234443c,
>>>>>>>> data=30820122300d06092a864886f70d01010105
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback
>>>>>>>> (most
>>>>>>>> recent call last):
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>>>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in <module>
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]:
>>>>>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>>>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in
>>>>>>>> ldap2master_replica_keys_sync
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]:
>>>>>>>> localhsm.import_public_key(new_key_ldap,
>>>>>>>> new_key_ldap['ipapublickey'])
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py",
>>>>>>>> line
>>>>>>>> 173, in import_public_key
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h =
>>>>>>>> self.p11.import_public_key(**params)
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line
>>>>>>>> 1498, in
>>>>>>>> import_public_key
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey =
>>>>>>>> d2i_PUBKEY(NULL, data_ptr, data_length)
>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError:
>>>>>>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3
>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]:
>>>>>>>> ipa-ods-exporter.service:
>>>>>>>> Main process exited, code=exited, status=1/FAILURE
>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]:
>>>>>>>> ipa-ods-exporter.service:
>>>>>>>> Unit entered failed state.
>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]:
>>>>>>>> ipa-ods-exporter.service:
>>>>>>>> Failed with result 'exit-code'.
>>>>>>>>
>>>>>>>> I haven't seen any other errors
>>>>>>>
>>>>>>> Updated patch attached. Added a patch which replaces calls to
>>>>>>> libcrypto with calls to python-cryptography.
>>>>>>>
>>>>>>
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done
>>>>>> configuring
>>>>>> DNS (named).
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10]
>>>>>> Configuring DNS
>>>>>> key synchronization service (ipa-dnskeysyncd)
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]:
>>>>>> checking
>>>>>> status
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]:
>>>>>> setting
>>>>>> up bind-dyndb-ldap working directory
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]:
>>>>>> setting
>>>>>> up kerberos principal
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]:
>>>>>> setting
>>>>>> up SoftHSM
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding
>>>>>> DNSSEC containers
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]:
>>>>>> creating
>>>>>> replica keys
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [error]
>>>>>> Error:
>>>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10]
>>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10]
>>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR The
>>>>>> ipa-server-install command failed. See
>>>>>> /var/log/ipaserver-install.log
>>>>>> for more information
>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1
>>>>>>
>>>>>> ipa-server-install.log
>>>>>> ....
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line 436, in run_step
>>>>>> method()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>>
>>>>>>
>>>>>>
>>>>>> line 342, in __setup_replica_keys
>>>>>> public_key_blob = p11.export_public_key(public_key_handle)
>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py",
>>>>>> line
>>>>>> 1275, in export_public_key
>>>>>> return self._export_RSA_public_key(object)
>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py",
>>>>>> line
>>>>>> 1240, in _export_RSA_public_key
>>>>>> raise Error("export_RSA_public_key: internal error: "
>>>>>>
>>>>>> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed,
>>>>>> exception: Error: export_RSA_public_key: internal error:
>>>>>> EVP_PKEY_set1_RSA failed
>>>>>> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error:
>>>>>> EVP_PKEY_set1_RSA failed
>>>>>
>>>>> Updated patch 538 attached.
>>>>>
>>>> Jan 12 12:31:43 master.ipa.test
>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: Connected
>>>> Jan 12 12:31:44 master.ipa.test
>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in LDAP:
>>>> set(['0xf5edad67436d0ed36b75c3a70216fa43',
>>>> '0x7164a931484d505f1e249e3dcbc313e2'])
>>>> Jan 12 12:31:44 master.ipa.test
>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in SoftHSM:
>>>> set(['0xf5edad67436d0ed36b75c3a70216fa43',
>>>> '0x7164a931484d505f1e249e3dcbc313e2', '0x28e302ae6b6ee7e9284cd5f6
>>>> Jan 12 12:31:44 master.ipa.test
>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: new replica keys in LDAP:
>>>> set([])
>>>> Jan 12 12:31:44 master.ipa.test
>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: obsolete replica keys in
>>>> local
>>>> HSM: set(['0x28e302ae6b6ee7e9284cd5f61aadbbe7'])
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: Traceback
>>>> (most
>>>> recent call last):
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File
>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in <module>
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]:
>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File
>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 321, in
>>>> ldap2master_replica_keys_sync
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]:
>>>> localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File
>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line
>>>> 65, in __setitem__
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: return
>>>> self.p11.set_attribute(self.handle, attrs_name2id[key], value)
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File
>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line
>>>> 1661, in
>>>> set_attribute
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]:
>>>> sizeof(CK_ATTRIBUTE)))
>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: TypeError: an
>>>> integer is required
>>>> Jan 12 12:31:44 master.ipa.test systemd[1]: ipa-ods-exporter.service:
>>>> Main process exited, code=exited, status=1/FAILURE
>>>>
>>>
>>> Updated patch 537 attached.
>>>
>> Jan 12 15:04:10 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: Connected
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in LDAP:
>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca',
>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1'])
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in SoftHSM:
>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca',
>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1'])
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: new replica keys in LDAP:
>> set([])
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: obsolete replica keys in local
>> HSM: set([])
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: keys in local HSM & LDAP:
>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca',
>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1'])
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: Updating attribute
>> ipk11verifyrecover from "1" to "False"
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in local HSM:
>> set([])
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in LDAP HSM:
>> set([])
>> Jan 12 15:04:11 master.ipa.test
>> /usr/libexec/ipa/ipa-ods-exporter[20652]: new master keys in local HSM:
>> set([])
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: Traceback (most
>> recent call last):
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/libexec/ipa/ipa-ods-exporter", line 665, in <module>
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]:
>> master2ldap_master_keys_sync(log, ldapkeydb, localhsm)
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/libexec/ipa/ipa-ods-exporter", line 340, in
>> master2ldap_master_keys_sync
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]:
>> ldapkeydb.flush()
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line
>> 311, in flush
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]:
>> self._update_keys()
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line
>> 307, in _update_keys
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]:
>> key._update_key()
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line
>> 179, in _update_key
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]:
>> self._cleanup_key()
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line
>> 170, in _cleanup_key
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: if
>> self.get(attr, empty) == default_attrs[attr]:
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/lib64/python2.7/_abcoll.py", line 382, in get
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: return
>> self[key]
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line
>> 132, in __getitem__
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: val =
>> ldap_bool(val)
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File
>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line
>> 39, in ldap_bool
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: raise
>> AssertionError('invalid LDAP boolean "%s"' % val)
>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: AssertionError:
>> invalid LDAP boolean "1"
>> Jan 12 15:04:11 master.ipa.test systemd[1]: ipa-ods-exporter.service:
>> Main process exited, code=exited, status=1/FAILURE
>>
>>
>> You can run the dnssec test, it has been fixed.
>
> Updated patches attached. The test now passes.
>
Hello,
pkcs11helper tests passed
DNSSEC tests passed
1)
Slot is unused argument here:
def __init__(self, slot, user_pin, library_path):
self.p11_ptr = new_ptr(CK_FUNCTION_LIST_PTR)
self.session_ptr = new_ptr(CK_SESSION_HANDLE)
self.slot = 0
2)
should't string_to_pybytes_or_none raise exception instead of returning
None? In C extension returning NULL means error, and exception was
raised by python itself when function ends with returning NULL.
in export_wrapped_key method
result = string_to_pybytes_or_none(wrapped_key,
wrapped_key_len_ptr[0])
return result
In this case method returns None instead of raising exception.
Also I think that in _export_RSA_public_key method,
string_to_pybytes_or_none should raise exception when it get NULL as
string too
3)
Is possible to remove build dependencies added in commit c909690c ?
More information about the Freeipa-devel
mailing list