[Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python

Jan Cholasta jcholast at redhat.com
Tue Jan 12 11:24:13 UTC 2016 

On 12.1.2016 12:17, Martin Basti wrote:
>
>
> On 12.01.2016 10:19, Jan Cholasta wrote:
>> On 12.1.2016 09:32, Martin Basti wrote:
>>>
>>>
>>> On 07.01.2016 14:13, Jan Cholasta wrote:
>>>> On 7.1.2016 09:50, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> the attached patch ports the _ipap11helper module to python-cffi.
>>>>>
>>>>> Combined with my patch 536 [1], this makes ipapython architecture
>>>>> independent.
>>>>
>>>> Updated patch attached.
>>>>
>>>>
>>>>
>>> I tried to run DNSSEC tests and it failed unexpectedly:
>>>
>>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>> Connected
>>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>> replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8',
>>> '0xd8538e634797420ca86cda420234443c'])
>>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>> replica pub keys in SoftHSM: set(['0x51df7c70b9869a7dd2bbd27335dba3f8',
>>> '0x1f7241a64d69ced6c0a14f6999410c59'])
>>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>> new replica keys in LDAP: set(['0xd8538e634797420ca86cda420234443c'])
>>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]:
>>> label=dnssec-replica:replica1.ipa.test.,
>>> id=d8538e634797420ca86cda420234443c,
>>> data=30820122300d06092a864886f70d01010105
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback (most
>>> recent call last):
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in <module>
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]:
>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in
>>> ldap2master_replica_keys_sync
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]:
>>> localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line
>>> 173, in import_public_key
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h =
>>> self.p11.import_public_key(**params)
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1498, in
>>> import_public_key
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey =
>>> d2i_PUBKEY(NULL, data_ptr, data_length)
>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError:
>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3
>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service:
>>> Main process exited, code=exited, status=1/FAILURE
>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service:
>>> Unit entered failed state.
>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service:
>>> Failed with result 'exit-code'.
>>>
>>> I haven't seen any other errors
>>
>> Updated patch attached. Added a patch which replaces calls to
>> libcrypto with calls to python-cryptography.
>>
>
> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done configuring
> DNS (named).
> [ipa.ipatests.test_integration.host.Host.master.cmd10] Configuring DNS
> key synchronization service (ipa-dnskeysyncd)
> [ipa.ipatests.test_integration.host.Host.master.cmd10]   [1/7]: checking
> status
> [ipa.ipatests.test_integration.host.Host.master.cmd10]   [2/7]: setting
> up bind-dyndb-ldap working directory
> [ipa.ipatests.test_integration.host.Host.master.cmd10]   [3/7]: setting
> up kerberos principal
> [ipa.ipatests.test_integration.host.Host.master.cmd10]   [4/7]: setting
> up SoftHSM
> [ipa.ipatests.test_integration.host.Host.master.cmd10]   [5/7]: adding
> DNSSEC containers
> [ipa.ipatests.test_integration.host.Host.master.cmd10]   [6/7]: creating
> replica keys
> [ipa.ipatests.test_integration.host.Host.master.cmd10]   [error] Error:
> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed
> [ipa.ipatests.test_integration.host.Host.master.cmd10]
> ipa.ipapython.install.cli.install_tool(Server): ERROR
> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed
> [ipa.ipatests.test_integration.host.Host.master.cmd10]
> ipa.ipapython.install.cli.install_tool(Server): ERROR    The
> ipa-server-install command failed. See /var/log/ipaserver-install.log
> for more information
> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1
>
> ipa-server-install.log
> ....
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 436, in run_step
>      method()
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
> line 342, in __setup_replica_keys
>      public_key_blob = p11.export_public_key(public_key_handle)
>    File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line
> 1275, in export_public_key
>      return self._export_RSA_public_key(object)
>    File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line
> 1240, in _export_RSA_public_key
>      raise Error("export_RSA_public_key: internal error: "
>
> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed,
> exception: Error: export_RSA_public_key: internal error:
> EVP_PKEY_set1_RSA failed
> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error:
> EVP_PKEY_set1_RSA failed

Updated patch 538 attached.

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-537.2-ipapython-port-p11helper-C-code-to-Python.patch
Type: text/x-patch
Size: 163318 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160112/494d8eba/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-538.1-ipapython-use-python-cryptography-instead-of-libcryp.patch
Type: text/x-patch
Size: 15038 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160112/494d8eba/attachment-0001.bin>

More information about the Freeipa-devel mailing list