[Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid

Rob Crittenden rcritten at redhat.com
Thu Jun 9 14:32:14 UTC 2016 

Fraser Tweedale wrote:
> On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote:
>>
>>
>> On 09.06.2016 15:03, Martin Basti wrote:
>>>
>>>
>>> On 09.06.2016 15:02, Stanislav Laznicka wrote:
>>>> On 06/09/2016 02:51 PM, Rob Crittenden wrote:
>>>>> Stanislav Laznicka wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Please see the attached patch of
>>>>>> https://fedorahosted.org/freeipa/ticket/5797.
>>>>>>
>>>>>> Standa
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Just wondering out loud but should usercertificate be excluded
>>>>> from the output if it is unparsable? Is there any value in
>>>>> showing that a bogus value is in there?
>>>>>
>>>>> rob
>>>> I think it is a good pointer that something has gone wrong with the
>>>> certificate. Another way would be to print 'Invalid certificate'
>>>> instead of it similar to what Apache LDAP Browser does.
>>>>
>>>
>>> We can return a warning message that something with certificates is
>>> broken.
>>>
>>> Martin^2
>>>
>> And you should log it at error log level, because it is error
>>
> Is the data from LDAP actually invalid?  It should not be possible
> to store data that is not a syntactically valid X.509 cert in the
> userCertificate attribute (if it is, we should file a ticket against
> 389).
>
> Is there a full traceback for the original error of #5797?  What is
> the datum that is the immediate cause of the error and what happens
> to it between the database and the function that throws?
>
> Could it be a python3 bytes/str problem originating in
> x509.normalize_certificate?
>
> Cheers,
> Fraser
>

A cert can get in several different ways. IPA sure tries hard not to 
allow bad certs but I guess they can happen:

$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin at GREYOAK.COM
SASL SSF: 56
SASL data security layer installed.
dn: 
krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com
changetype: modify
add: usercertificate
usercertificate: foo

modifying entry 
"krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com"

$ ipa service-show cert/slithy.greyoak.com
ipa: ERROR: Certificate format error: (SEC_ERROR_INVALID_ARGS) security 
library: invalid arguments.

No traceback, it's a caught error:

[Thu Jun 09 10:27:58.642749 2016] [wsgi:error] [pid 19694] ipa: INFO: 
[jsonserver_session] admin at GREYOAK.COM: 
service_mod(u'cert/slithy.greyoak.com at GREYOAK.COM', 
addattr=(u'usercertificate=Zm9vCg==',), rights=False, all=False, 
raw=False, version=u'2.156', no_members=False): CertificateFormatError

And interestingly, I can't delete the service and there I _do_ get a 
traceback.

[Thu Jun 09 10:29:34.236210 2016] [wsgi:error] [pid 19694] ipa: INFO: 
[jsonserver_session] admin at GREYOAK.COM: 
service_show(u'cert/slithy.greyoak.com at GREYOAK.COM', rights=False, 
all=False, raw=False, version=u'2.156', no_members=False): 
CertificateFormatError
[Thu Jun 09 10:30:55.692025 2016] [wsgi:error] [pid 19693] ipa: INFO: 
Problem decoding certificate: Certificate format error: 
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
[Thu Jun 09 10:30:55.770495 2016] [wsgi:error] [pid 19693] ipa: ERROR: 
non-public: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
[Thu Jun 09 10:30:55.770527 2016] [wsgi:error] [pid 19693] Traceback 
(most recent call last):
[Thu Jun 09 10:30:55.770534 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in 
wsgi_execute
[Thu Jun 09 10:30:55.770541 2016] [wsgi:error] [pid 19693]     result = 
self.Command[name](*args, **options)
[Thu Jun 09 10:30:55.770547 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__
[Thu Jun 09 10:30:55.770552 2016] [wsgi:error] [pid 19693]     ret = 
self.run(*args, **options)
rgs, **options)
[Thu Jun 09 10:30:55.770558 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run
[Thu Jun 09 10:30:55.770563 2016] [wsgi:error] [pid 19693]     return 
self.execute(*args, **options)
[Thu Jun 09 10:30:55.770569 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 
1626, in execute
[Thu Jun 09 10:30:55.770575 2016] [wsgi:error] [pid 19693] 
delete_entry(pkey)
[Thu Jun 09 10:30:55.770580 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 
1579, in delete_entry
[Thu Jun 09 10:30:55.770585 2016] [wsgi:error] [pid 19693]     dn = 
callback(self, ldap, dn, *nkeys, **options)
[Thu Jun 09 10:30:55.770591 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 594, 
in pre_callback
[Thu Jun 09 10:30:55.770597 2016] [wsgi:error] [pid 19693] 
revoke_certs(entry_attrs.get('usercertificate', []), self.log)
[Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, 
in revoke_certs
y_attrs.get('usercertificate', []), self.log)
[Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, 
in revoke_certs
[Thu Jun 09 10:30:55.770625 2016] [wsgi:error] [pid 19693]     serial = 
unicode(x509.get_serial_number(cert, x509.DER))
[Thu Jun 09 10:30:55.770631 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/x509.py", line 183, in 
get_serial_number
[Thu Jun 09 10:30:55.770637 2016] [wsgi:error] [pid 19693]     nsscert = 
load_certificate(certificate, datatype, dbdir)
[Thu Jun 09 10:30:55.770642 2016] [wsgi:error] [pid 19693]   File 
"/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in 
load_certificate
[Thu Jun 09 10:30:55.770648 2016] [wsgi:error] [pid 19693]     return 
nss.Certificate(buffer(data))
[Thu Jun 09 10:30:55.770653 2016] [wsgi:error] [pid 19693] NSPRError: 
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
[Thu Jun 09 10:30:55.771242 2016] [wsgi:error] [pid 19693] ipa: INFO: 
[jsonserver_session] admin at GREYOAK.COM: 
service_del((u'cert/slithy.greyoak.com at GREYOAK.COM',), continue=False, 
version=u'2.156'): NSPRError

rob

More information about the Freeipa-devel mailing list