[Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid
Rob Crittenden
rcritten at redhat.com
Thu Jun 9 14:32:14 UTC 2016
Fraser Tweedale wrote:
> On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote:
>>
>>
>> On 09.06.2016 15:03, Martin Basti wrote:
>>>
>>>
>>> On 09.06.2016 15:02, Stanislav Laznicka wrote:
>>>> On 06/09/2016 02:51 PM, Rob Crittenden wrote:
>>>>> Stanislav Laznicka wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Please see the attached patch of
>>>>>> https://fedorahosted.org/freeipa/ticket/5797.
>>>>>>
>>>>>> Standa
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Just wondering out loud but should usercertificate be excluded
>>>>> from the output if it is unparsable? Is there any value in
>>>>> showing that a bogus value is in there?
>>>>>
>>>>> rob
>>>> I think it is a good pointer that something has gone wrong with the
>>>> certificate. Another way would be to print 'Invalid certificate'
>>>> instead of it similar to what Apache LDAP Browser does.
>>>>
>>>
>>> We can return a warning message that something with certificates is
>>> broken.
>>>
>>> Martin^2
>>>
>> And you should log it at error log level, because it is error
>>
> Is the data from LDAP actually invalid? It should not be possible
> to store data that is not a syntactically valid X.509 cert in the
> userCertificate attribute (if it is, we should file a ticket against
> 389).
>
> Is there a full traceback for the original error of #5797? What is
> the datum that is the immediate cause of the error and what happens
> to it between the database and the function that throws?
>
> Could it be a python3 bytes/str problem originating in
> x509.normalize_certificate?
>
> Cheers,
> Fraser
>
A cert can get in several different ways. IPA sure tries hard not to
allow bad certs but I guess they can happen:
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin at GREYOAK.COM
SASL SSF: 56
SASL data security layer installed.
dn:
krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com
changetype: modify
add: usercertificate
usercertificate: foo
modifying entry
"krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com"
$ ipa service-show cert/slithy.greyoak.com
ipa: ERROR: Certificate format error: (SEC_ERROR_INVALID_ARGS) security
library: invalid arguments.
No traceback, it's a caught error:
[Thu Jun 09 10:27:58.642749 2016] [wsgi:error] [pid 19694] ipa: INFO:
[jsonserver_session] admin at GREYOAK.COM:
service_mod(u'cert/slithy.greyoak.com at GREYOAK.COM',
addattr=(u'usercertificate=Zm9vCg==',), rights=False, all=False,
raw=False, version=u'2.156', no_members=False): CertificateFormatError
And interestingly, I can't delete the service and there I _do_ get a
traceback.
[Thu Jun 09 10:29:34.236210 2016] [wsgi:error] [pid 19694] ipa: INFO:
[jsonserver_session] admin at GREYOAK.COM:
service_show(u'cert/slithy.greyoak.com at GREYOAK.COM', rights=False,
all=False, raw=False, version=u'2.156', no_members=False):
CertificateFormatError
[Thu Jun 09 10:30:55.692025 2016] [wsgi:error] [pid 19693] ipa: INFO:
Problem decoding certificate: Certificate format error:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
[Thu Jun 09 10:30:55.770495 2016] [wsgi:error] [pid 19693] ipa: ERROR:
non-public: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
[Thu Jun 09 10:30:55.770527 2016] [wsgi:error] [pid 19693] Traceback
(most recent call last):
[Thu Jun 09 10:30:55.770534 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in
wsgi_execute
[Thu Jun 09 10:30:55.770541 2016] [wsgi:error] [pid 19693] result =
self.Command[name](*args, **options)
[Thu Jun 09 10:30:55.770547 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__
[Thu Jun 09 10:30:55.770552 2016] [wsgi:error] [pid 19693] ret =
self.run(*args, **options)
rgs, **options)
[Thu Jun 09 10:30:55.770558 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run
[Thu Jun 09 10:30:55.770563 2016] [wsgi:error] [pid 19693] return
self.execute(*args, **options)
[Thu Jun 09 10:30:55.770569 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line
1626, in execute
[Thu Jun 09 10:30:55.770575 2016] [wsgi:error] [pid 19693]
delete_entry(pkey)
[Thu Jun 09 10:30:55.770580 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line
1579, in delete_entry
[Thu Jun 09 10:30:55.770585 2016] [wsgi:error] [pid 19693] dn =
callback(self, ldap, dn, *nkeys, **options)
[Thu Jun 09 10:30:55.770591 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 594,
in pre_callback
[Thu Jun 09 10:30:55.770597 2016] [wsgi:error] [pid 19693]
revoke_certs(entry_attrs.get('usercertificate', []), self.log)
[Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258,
in revoke_certs
y_attrs.get('usercertificate', []), self.log)
[Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258,
in revoke_certs
[Thu Jun 09 10:30:55.770625 2016] [wsgi:error] [pid 19693] serial =
unicode(x509.get_serial_number(cert, x509.DER))
[Thu Jun 09 10:30:55.770631 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/x509.py", line 183, in
get_serial_number
[Thu Jun 09 10:30:55.770637 2016] [wsgi:error] [pid 19693] nsscert =
load_certificate(certificate, datatype, dbdir)
[Thu Jun 09 10:30:55.770642 2016] [wsgi:error] [pid 19693] File
"/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in
load_certificate
[Thu Jun 09 10:30:55.770648 2016] [wsgi:error] [pid 19693] return
nss.Certificate(buffer(data))
[Thu Jun 09 10:30:55.770653 2016] [wsgi:error] [pid 19693] NSPRError:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
[Thu Jun 09 10:30:55.771242 2016] [wsgi:error] [pid 19693] ipa: INFO:
[jsonserver_session] admin at GREYOAK.COM:
service_del((u'cert/slithy.greyoak.com at GREYOAK.COM',), continue=False,
version=u'2.156'): NSPRError
rob
More information about the Freeipa-devel
mailing list