On Thu, Jun 09, 2016 at 10:32:14AM -0400, Rob Crittenden wrote: > Fraser Tweedale wrote: > > On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote: > > > > > > > > > On 09.06.2016 15:03, Martin Basti wrote: > > > > > > > > > > > > On 09.06.2016 15:02, Stanislav Laznicka wrote: > > > > > On 06/09/2016 02:51 PM, Rob Crittenden wrote: > > > > > > Stanislav Laznicka wrote: > > > > > > > Hello, > > > > > > > > > > > > > > Please see the attached patch of > > > > > > > https://fedorahosted.org/freeipa/ticket/5797. > > > > > > > > > > > > > > Standa > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Just wondering out loud but should usercertificate be excluded > > > > > > from the output if it is unparsable? Is there any value in > > > > > > showing that a bogus value is in there? > > > > > > > > > > > > rob > > > > > I think it is a good pointer that something has gone wrong with the > > > > > certificate. Another way would be to print 'Invalid certificate' > > > > > instead of it similar to what Apache LDAP Browser does. > > > > > > > > > > > > > We can return a warning message that something with certificates is > > > > broken. > > > > > > > > Martin^2 > > > > > > > And you should log it at error log level, because it is error > > > > > Is the data from LDAP actually invalid? It should not be possible > > to store data that is not a syntactically valid X.509 cert in the > > userCertificate attribute (if it is, we should file a ticket against > > 389). > > > > Is there a full traceback for the original error of #5797? What is > > the datum that is the immediate cause of the error and what happens > > to it between the database and the function that throws? > > > > Could it be a python3 bytes/str problem originating in > > x509.normalize_certificate? > > > > Cheers, > > Fraser > > > > A cert can get in several different ways. IPA sure tries hard not to allow > bad certs but I guess they can happen: > > $ ldapmodify -Y GSSAPI > SASL/GSSAPI authentication started > SASL username: ad...@greyoak.com > SASL SSF: 56 > SASL data security layer installed. > dn: > krbprincipalname=cert/slithy.greyoak....@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com > changetype: modify > add: usercertificate > usercertificate: foo > > modifying entry > "krbprincipalname=cert/slithy.greyoak....@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com" > > $ ipa service-show cert/slithy.greyoak.com > ipa: ERROR: Certificate format error: (SEC_ERROR_INVALID_ARGS) security > library: invalid arguments. > > No traceback, it's a caught error: > > [Thu Jun 09 10:27:58.642749 2016] [wsgi:error] [pid 19694] ipa: INFO: > [jsonserver_session] ad...@greyoak.com: > service_mod(u'cert/slithy.greyoak....@greyoak.com', > addattr=(u'usercertificate=Zm9vCg==',), rights=False, all=False, raw=False, > version=u'2.156', no_members=False): CertificateFormatError > > And interestingly, I can't delete the service and there I _do_ get a > traceback. > > [Thu Jun 09 10:29:34.236210 2016] [wsgi:error] [pid 19694] ipa: INFO: > [jsonserver_session] ad...@greyoak.com: > service_show(u'cert/slithy.greyoak....@greyoak.com', rights=False, > all=False, raw=False, version=u'2.156', no_members=False): > CertificateFormatError > [Thu Jun 09 10:30:55.692025 2016] [wsgi:error] [pid 19693] ipa: INFO: > Problem decoding certificate: Certificate format error: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > [Thu Jun 09 10:30:55.770495 2016] [wsgi:error] [pid 19693] ipa: ERROR: > non-public: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. > [Thu Jun 09 10:30:55.770527 2016] [wsgi:error] [pid 19693] Traceback (most > recent call last): > [Thu Jun 09 10:30:55.770534 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in > wsgi_execute > [Thu Jun 09 10:30:55.770541 2016] [wsgi:error] [pid 19693] result = > self.Command[name](*args, **options) > [Thu Jun 09 10:30:55.770547 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__ > [Thu Jun 09 10:30:55.770552 2016] [wsgi:error] [pid 19693] ret = > self.run(*args, **options) > rgs, **options) > [Thu Jun 09 10:30:55.770558 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run > [Thu Jun 09 10:30:55.770563 2016] [wsgi:error] [pid 19693] return > self.execute(*args, **options) > [Thu Jun 09 10:30:55.770569 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1626, in > execute > [Thu Jun 09 10:30:55.770575 2016] [wsgi:error] [pid 19693] > delete_entry(pkey) > [Thu Jun 09 10:30:55.770580 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1579, in > delete_entry > [Thu Jun 09 10:30:55.770585 2016] [wsgi:error] [pid 19693] dn = > callback(self, ldap, dn, *nkeys, **options) > [Thu Jun 09 10:30:55.770591 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 594, in > pre_callback > [Thu Jun 09 10:30:55.770597 2016] [wsgi:error] [pid 19693] > revoke_certs(entry_attrs.get('usercertificate', []), self.log) > [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in > revoke_certs > y_attrs.get('usercertificate', []), self.log) > [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in > revoke_certs > [Thu Jun 09 10:30:55.770625 2016] [wsgi:error] [pid 19693] serial = > unicode(x509.get_serial_number(cert, x509.DER)) > [Thu Jun 09 10:30:55.770631 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 183, in > get_serial_number > [Thu Jun 09 10:30:55.770637 2016] [wsgi:error] [pid 19693] nsscert = > load_certificate(certificate, datatype, dbdir) > [Thu Jun 09 10:30:55.770642 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in > load_certificate > [Thu Jun 09 10:30:55.770648 2016] [wsgi:error] [pid 19693] return > nss.Certificate(buffer(data)) > [Thu Jun 09 10:30:55.770653 2016] [wsgi:error] [pid 19693] NSPRError: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > [Thu Jun 09 10:30:55.771242 2016] [wsgi:error] [pid 19693] ipa: INFO: > [jsonserver_session] ad...@greyoak.com: > service_del((u'cert/slithy.greyoak....@greyoak.com',), continue=False, > version=u'2.156'): NSPRError > > rob > Yikes, I guess I hope too much when I expected userCertificate to barf if given a value that doesn't look like an X.509 cert.
Reading https://tools.ietf.org/html/rfc4523#section-2.1, looks like garbarge-in/garbage-out is (unfortuntaely) the right behaviour for DS. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
