On Thu, Jun 09, 2016 at 10:32:14AM -0400, Rob Crittenden wrote:
> Fraser Tweedale wrote:
> > On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote:
> > > 
> > > 
> > > On 09.06.2016 15:03, Martin Basti wrote:
> > > > 
> > > > 
> > > > On 09.06.2016 15:02, Stanislav Laznicka wrote:
> > > > > On 06/09/2016 02:51 PM, Rob Crittenden wrote:
> > > > > > Stanislav Laznicka wrote:
> > > > > > > Hello,
> > > > > > > 
> > > > > > > Please see the attached patch of
> > > > > > > https://fedorahosted.org/freeipa/ticket/5797.
> > > > > > > 
> > > > > > > Standa
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > > Just wondering out loud but should usercertificate be excluded
> > > > > > from the output if it is unparsable? Is there any value in
> > > > > > showing that a bogus value is in there?
> > > > > > 
> > > > > > rob
> > > > > I think it is a good pointer that something has gone wrong with the
> > > > > certificate. Another way would be to print 'Invalid certificate'
> > > > > instead of it similar to what Apache LDAP Browser does.
> > > > > 
> > > > 
> > > > We can return a warning message that something with certificates is
> > > > broken.
> > > > 
> > > > Martin^2
> > > > 
> > > And you should log it at error log level, because it is error
> > > 
> > Is the data from LDAP actually invalid?  It should not be possible
> > to store data that is not a syntactically valid X.509 cert in the
> > userCertificate attribute (if it is, we should file a ticket against
> > 389).
> > 
> > Is there a full traceback for the original error of #5797?  What is
> > the datum that is the immediate cause of the error and what happens
> > to it between the database and the function that throws?
> > 
> > Could it be a python3 bytes/str problem originating in
> > x509.normalize_certificate?
> > 
> > Cheers,
> > Fraser
> > 
> 
> A cert can get in several different ways. IPA sure tries hard not to allow
> bad certs but I guess they can happen:
> 
> $ ldapmodify -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: ad...@greyoak.com
> SASL SSF: 56
> SASL data security layer installed.
> dn: 
> krbprincipalname=cert/slithy.greyoak....@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com
> changetype: modify
> add: usercertificate
> usercertificate: foo
> 
> modifying entry 
> "krbprincipalname=cert/slithy.greyoak....@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com"
> 
> $ ipa service-show cert/slithy.greyoak.com
> ipa: ERROR: Certificate format error: (SEC_ERROR_INVALID_ARGS) security
> library: invalid arguments.
> 
> No traceback, it's a caught error:
> 
> [Thu Jun 09 10:27:58.642749 2016] [wsgi:error] [pid 19694] ipa: INFO:
> [jsonserver_session] ad...@greyoak.com:
> service_mod(u'cert/slithy.greyoak....@greyoak.com',
> addattr=(u'usercertificate=Zm9vCg==',), rights=False, all=False, raw=False,
> version=u'2.156', no_members=False): CertificateFormatError
> 
> And interestingly, I can't delete the service and there I _do_ get a
> traceback.
> 
> [Thu Jun 09 10:29:34.236210 2016] [wsgi:error] [pid 19694] ipa: INFO:
> [jsonserver_session] ad...@greyoak.com:
> service_show(u'cert/slithy.greyoak....@greyoak.com', rights=False,
> all=False, raw=False, version=u'2.156', no_members=False):
> CertificateFormatError
> [Thu Jun 09 10:30:55.692025 2016] [wsgi:error] [pid 19693] ipa: INFO:
> Problem decoding certificate: Certificate format error:
> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> [Thu Jun 09 10:30:55.770495 2016] [wsgi:error] [pid 19693] ipa: ERROR:
> non-public: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> [Thu Jun 09 10:30:55.770527 2016] [wsgi:error] [pid 19693] Traceback (most
> recent call last):
> [Thu Jun 09 10:30:55.770534 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in
> wsgi_execute
> [Thu Jun 09 10:30:55.770541 2016] [wsgi:error] [pid 19693]     result =
> self.Command[name](*args, **options)
> [Thu Jun 09 10:30:55.770547 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__
> [Thu Jun 09 10:30:55.770552 2016] [wsgi:error] [pid 19693]     ret =
> self.run(*args, **options)
> rgs, **options)
> [Thu Jun 09 10:30:55.770558 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run
> [Thu Jun 09 10:30:55.770563 2016] [wsgi:error] [pid 19693]     return
> self.execute(*args, **options)
> [Thu Jun 09 10:30:55.770569 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1626, in
> execute
> [Thu Jun 09 10:30:55.770575 2016] [wsgi:error] [pid 19693]
> delete_entry(pkey)
> [Thu Jun 09 10:30:55.770580 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1579, in
> delete_entry
> [Thu Jun 09 10:30:55.770585 2016] [wsgi:error] [pid 19693]     dn =
> callback(self, ldap, dn, *nkeys, **options)
> [Thu Jun 09 10:30:55.770591 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 594, in
> pre_callback
> [Thu Jun 09 10:30:55.770597 2016] [wsgi:error] [pid 19693]
> revoke_certs(entry_attrs.get('usercertificate', []), self.log)
> [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in
> revoke_certs
> y_attrs.get('usercertificate', []), self.log)
> [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in
> revoke_certs
> [Thu Jun 09 10:30:55.770625 2016] [wsgi:error] [pid 19693]     serial =
> unicode(x509.get_serial_number(cert, x509.DER))
> [Thu Jun 09 10:30:55.770631 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 183, in
> get_serial_number
> [Thu Jun 09 10:30:55.770637 2016] [wsgi:error] [pid 19693]     nsscert =
> load_certificate(certificate, datatype, dbdir)
> [Thu Jun 09 10:30:55.770642 2016] [wsgi:error] [pid 19693]   File
> "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in
> load_certificate
> [Thu Jun 09 10:30:55.770648 2016] [wsgi:error] [pid 19693]     return
> nss.Certificate(buffer(data))
> [Thu Jun 09 10:30:55.770653 2016] [wsgi:error] [pid 19693] NSPRError:
> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> [Thu Jun 09 10:30:55.771242 2016] [wsgi:error] [pid 19693] ipa: INFO:
> [jsonserver_session] ad...@greyoak.com:
> service_del((u'cert/slithy.greyoak....@greyoak.com',), continue=False,
> version=u'2.156'): NSPRError
> 
> rob
>
Yikes, I guess I hope too much when I expected userCertificate to
barf if given a value that doesn't look like an X.509 cert.

Reading https://tools.ietf.org/html/rfc4523#section-2.1, looks like
garbarge-in/garbage-out is (unfortuntaely) the right behaviour for
DS.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to