Fraser Tweedale wrote:
On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote:



On 09.06.2016 15:03, Martin Basti wrote:


On 09.06.2016 15:02, Stanislav Laznicka wrote:
On 06/09/2016 02:51 PM, Rob Crittenden wrote:
Stanislav Laznicka wrote:
Hello,

Please see the attached patch of
https://fedorahosted.org/freeipa/ticket/5797.

Standa




Just wondering out loud but should usercertificate be excluded
from the output if it is unparsable? Is there any value in
showing that a bogus value is in there?

rob
I think it is a good pointer that something has gone wrong with the
certificate. Another way would be to print 'Invalid certificate'
instead of it similar to what Apache LDAP Browser does.


We can return a warning message that something with certificates is
broken.

Martin^2

And you should log it at error log level, because it is error

Is the data from LDAP actually invalid?  It should not be possible
to store data that is not a syntactically valid X.509 cert in the
userCertificate attribute (if it is, we should file a ticket against
389).

Is there a full traceback for the original error of #5797?  What is
the datum that is the immediate cause of the error and what happens
to it between the database and the function that throws?

Could it be a python3 bytes/str problem originating in
x509.normalize_certificate?

Cheers,
Fraser


A cert can get in several different ways. IPA sure tries hard not to allow bad certs but I guess they can happen:

$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@greyoak.com
SASL SSF: 56
SASL data security layer installed.
dn: krbprincipalname=cert/slithy.greyoak....@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com
changetype: modify
add: usercertificate
usercertificate: foo

modifying entry "krbprincipalname=cert/slithy.greyoak....@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com"

$ ipa service-show cert/slithy.greyoak.com
ipa: ERROR: Certificate format error: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.

No traceback, it's a caught error:

[Thu Jun 09 10:27:58.642749 2016] [wsgi:error] [pid 19694] ipa: INFO: [jsonserver_session] ad...@greyoak.com: service_mod(u'cert/slithy.greyoak....@greyoak.com', addattr=(u'usercertificate=Zm9vCg==',), rights=False, all=False, raw=False, version=u'2.156', no_members=False): CertificateFormatError

And interestingly, I can't delete the service and there I _do_ get a traceback.

[Thu Jun 09 10:29:34.236210 2016] [wsgi:error] [pid 19694] ipa: INFO: [jsonserver_session] ad...@greyoak.com: service_show(u'cert/slithy.greyoak....@greyoak.com', rights=False, all=False, raw=False, version=u'2.156', no_members=False): CertificateFormatError [Thu Jun 09 10:30:55.692025 2016] [wsgi:error] [pid 19693] ipa: INFO: Problem decoding certificate: Certificate format error: (SEC_ERROR_LIBRARY_FAILURE) security library failure. [Thu Jun 09 10:30:55.770495 2016] [wsgi:error] [pid 19693] ipa: ERROR: non-public: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. [Thu Jun 09 10:30:55.770527 2016] [wsgi:error] [pid 19693] Traceback (most recent call last): [Thu Jun 09 10:30:55.770534 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Thu Jun 09 10:30:55.770541 2016] [wsgi:error] [pid 19693] result = self.Command[name](*args, **options) [Thu Jun 09 10:30:55.770547 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__ [Thu Jun 09 10:30:55.770552 2016] [wsgi:error] [pid 19693] ret = self.run(*args, **options)
rgs, **options)
[Thu Jun 09 10:30:55.770558 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run [Thu Jun 09 10:30:55.770563 2016] [wsgi:error] [pid 19693] return self.execute(*args, **options) [Thu Jun 09 10:30:55.770569 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1626, in execute [Thu Jun 09 10:30:55.770575 2016] [wsgi:error] [pid 19693] delete_entry(pkey) [Thu Jun 09 10:30:55.770580 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1579, in delete_entry [Thu Jun 09 10:30:55.770585 2016] [wsgi:error] [pid 19693] dn = callback(self, ldap, dn, *nkeys, **options) [Thu Jun 09 10:30:55.770591 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 594, in pre_callback [Thu Jun 09 10:30:55.770597 2016] [wsgi:error] [pid 19693] revoke_certs(entry_attrs.get('usercertificate', []), self.log) [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in revoke_certs
y_attrs.get('usercertificate', []), self.log)
[Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in revoke_certs [Thu Jun 09 10:30:55.770625 2016] [wsgi:error] [pid 19693] serial = unicode(x509.get_serial_number(cert, x509.DER)) [Thu Jun 09 10:30:55.770631 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 183, in get_serial_number [Thu Jun 09 10:30:55.770637 2016] [wsgi:error] [pid 19693] nsscert = load_certificate(certificate, datatype, dbdir) [Thu Jun 09 10:30:55.770642 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in load_certificate [Thu Jun 09 10:30:55.770648 2016] [wsgi:error] [pid 19693] return nss.Certificate(buffer(data)) [Thu Jun 09 10:30:55.770653 2016] [wsgi:error] [pid 19693] NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. [Thu Jun 09 10:30:55.771242 2016] [wsgi:error] [pid 19693] ipa: INFO: [jsonserver_session] ad...@greyoak.com: service_del((u'cert/slithy.greyoak....@greyoak.com',), continue=False, version=u'2.156'): NSPRError

rob

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to