| Summary: | The import test does not work in test_pkcs12.py in python-nss-doc | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | ||||
| Component: | python-nss | Assignee: | John Dennis <jdennis> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | pkis | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-10-17 17:21:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
I can't reproduce this on either Fedora 18 nor RHEL-7 On RHEL-7 I've got nss-3.15.1-2.el7.x86_64 installed. I instrumented the test and before pkcs12.database_import() runs there is no test_user in the database and after it runs test_user is present. This is with the sql database. So I'm at a loss, I'll need some more information or an actual reproducer. Created attachment 813461 [details]
updated test_pkcs12
Hi Patrik: Yes you were doing something wrong, probably a silly cut-n-paste bug. In your script you do this to create the pkcs12 file: pk12util -o test_user.p12 -n test_ca -d sql:pki -W pk12_passwd -K db_passwd But notice what the name of the cert is you're extracting from the database, it's the test_ca cert not the test_user cert! So what happens is the test_user cert is deleted prior to importing the pkcs12 file, but the pkcs12 file doesn't import the test_user cert, instead it imports the test_ca cert. This is effectively a no-op because the exact same test_ca cert & key are already in the database. That's why there is no error. But you don't see the test_user cert because you never imported it. I edited you test changing test_ca to test_user and it runs successfully. This bug report did cause me to look at the test_pkcs12 more carefully and I noticed the testing was weak, in several places it didn't actually check the expected values. Perhaps one reason for that omission was it's not possible to verify the keys (because keys are always hidden) and because you can't just compare pkcs12 files because they are not binary identical despite containing the exact same binary data (because the encryption uses a different salt). I enhanced the test_pkcs12.py test to validate: * the binary cert is identical after importing * the exported pkcs12 file matches the cert * the cert is present or absent in the database as expected. I've attached a copy of the updated test script. I created a directory under the one you pointed me at called 'jdennis', it has both the setup_certs.py and the test_pkcs12.py file that's attached. The enhanced test_pkcs12 runs successfully. I'm not sure why you've written tests which duplicate the unittest (and call into the unittest). I would think just running the unittest should be sufficient. Thanks John for help; I fixed the test. Maybe the reason I haven't noticed this stupid error is that the same test was passing on RHEL-6 with the old database for years. Anyhow, I fixed it now and run the test on RHEL-6 with sql db too and also start using your enhanced unit test. BTW, do you plan to update them also in python-nss-doc package too? I could update the unittests in the RPM again but I would have to use bug #1003979, the bug that originally gave me permission to patch the tests. I'll try to do that this morning. Rebuilt the RPM's with the enhanced test_pkcs12 test python-nss-0.14.0-3.el7 |
Description of problem: The test TestPKCS12Decoder.test_import seems not working with sql database. The test passes without error but the certificate is not imported. Maybe I'm doing something wrong but this test passes on RHEL-6 with old database but also fails with sql. Version-Release number of selected component (if applicable): python-nss-0.14.0-2.el7 How reproducible: always Steps to Reproduce: # rpm -q python-nss-doc python-nss-doc-0.14.0-2.el7.x86_64 # python /usr/share/doc/python-nss-0.14.0/test/setup_certs.py INFO: Creating clean database directory: "pki" INFO: creating ca cert: subject="CN=Test CA", nickname="test_ca" INFO: creating server cert: subject="CN=rhel7.pkis.net", nickname="test_server" INFO: creating client cert: subject="CN=test_user", nickname="test_user" INFO: adding system trusted certs: name="ca_certs" module="libnssckbi.so" INFO: ---------- Summary ---------- INFO: NSS database name="sql:pki", password="db_passwd" INFO: CA nickname="test_ca", CA subject="CN=Test CA" INFO: server nickname="test_server", server subject="CN=rhel7.pkis.net" INFO: client nickname="test_user", client subject="CN=test_user" # ll pki/ total 44 -rw-------. 1 root root 13312 Oct 16 18:00 cert9.db -rw-------. 1 root root 19456 Oct 16 18:00 key4.db -rw-------. 1 root root 470 Oct 16 18:00 pkcs11.txt -rw-r--r--. 1 root root 2 Oct 16 18:00 serial # certutil -L -d pki certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. # certutil -L -d sql:pki Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI test_ca CTu,u,Cu test_server u,u,u test_user u,u,u # # pk12util -o test_user.p12 -n test_ca -d sql:pki -W pk12_passwd -K db_passwd pk12util: PKCS12 EXPORT SUCCESSFUL # ll total 8 drwxr-xr-x. 2 root root 4096 Oct 16 18:01 pki -rw-------. 1 root root 1586 Oct 16 18:01 test_user.p12 # python /usr/share/doc/python-nss-0.14.0/test/test_pkcs12.py TestPKCS12Decoder.test_import . ---------------------------------------------------------------------- Ran 1 test in 0.310s OK # certutil -L -d sql:pki Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI test_ca CTu,u,Cu test_server u,u,u Actual results: The import fails and not error is returned. Expected results: The import is successful. Additional info: On RHEL I got the same result as above if I did "export NSS_DEFAULT_DB_TYPE=sql " before the test, but if the test is run with default (old) DB type the test passes.