Bug 1032760
Summary: | Certmonger crashes when trying to decode certificate with invalid data in header | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jr Aquino <jr.aquino> | |
Component: | certmonger | Assignee: | Nalin Dahyabhai <nalin> | |
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 6.3 | CC: | arubin, dpal, jgalipea, kchamart, nsoman | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
URL: | https://fedorahosted.org/certmonger/ticket/22 | |||
Whiteboard: | ||||
Fixed In Version: | certmonger-0.75.2-1.el6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1033333 (view as bug list) | Environment: | ||
Last Closed: | 2014-10-14 07:12:34 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1033333, 1061410 |
Description
Jr Aquino
2013-11-20 19:19:26 UTC
We get here through a combination of three things: * When running an external enrollment (or in this case, "enrollment") helper, certmonger isn't clearing the environment. In particular, when TERM is set to an xterm-like terminal (which happens when the daemon inherits that value due to being started as a child of a shell), the IPA helper's use of the framework (as noted in the description) ends up pulling in the readline module, which outputs a control sequence before it starts. The development tree now includes a candidate fix for this. * When reading the certificate that's output by the helper when it returns success, garbage that precedes or follows the certificate isn't stripped out. While this isn't something that the docs say helpers can expect the daemon to do, for this case we could work around it. The development tree does this now, but it's only a bandage, and doesn't cover other * When the daemon attempts to save the certificate value, which includes noise, it fails. The state machine hits an assertion failure when it subsequently tries again to save the certificate. The development tree now includes a fix to give it the behavior which is asserted. At minimum we'd need to pull in the changes for the first and third parts. These were originally fixed in upstream's 0.69 release, and we're rebasing to a later version, so these changes are incorporated there. Verified. certmonger version: =================== [root@rhel66-replica ~]# rpm -q certmonger certmonger-0.75.8-1.el6.x86_64 [root@rhel66-replica ~]# Verification steps taken from https://bugzilla.redhat.com/show_bug.cgi?id=1033333#c5 ========================================================= [root@rhel66-replica ~]# cat /etc/sysconfig/certmonger TERM=xterm-256color [root@rhel66-replica ~]# getcert resubmit -i 20140804135130 Resubmitting "20140804135130" to "dogtag-ipa-retrieve-agent-submit". [root@rhel66-replica ~]# ps -eaf|grep agent root 7492 7026 0 19:50 ? 00:00:00 /usr/bin/python -E /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit root 7496 1657 0 19:51 pts/0 00:00:00 grep agent [root@rhel66-replica ~]# strings /proc/7492/environ|grep TERM TERM=dumb [root@rhel66-replica ~]# strings /proc/7492/environ HOME=/var/run/certmonger PATH=/usr/bin:/bin:/usr/sbin:/sbin SHELL=/bin/sh TERM=dumb TMPDIR=/var/run/certmonger CERTMONGER_REQ_SUBJECT=CN=IPA RA,O=TESTRELM.TEST CERTMONGER_OPERATION=SUBMIT CERTMONGER_CSR=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDATCCAekCAQAwKTEWMBQGA1UEChMNVEVTVFJFTE0uVEVTVDEPMA0GA1UEAxMG SVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXLnazJCOgj7 pMWsSoBBSJmsF8Q1yGVcd81+58QFmOyE1vW7HfUyRdUTvMwNa+A6PkRAklvQ5EW1 6LSQxUhoThpL/eklmsdmvpV4q48SpC/FEr4MaTdUOkh8kjf0E3EYkO07dF6MJCxW 32Id5btjtdCIOxNHhg8N8UqMwKwJCmCZ41KYQosiDXtAGj4y9lzVZB2O86piZ2jR tlK2cWVsrn2WARm53a2Vq1RtFn1Ie4NnqJ7VZqAxDvMGPXwoYDZ1pUqPiF0j/p8u tBUdnIhWlQOuPWpg9jfiFq/Ny3IE79+i4VlB/YoI8r1bUWqQnzHdAWSVtLNIrVYS Kraq3jdNAQIDAQABoIGSMB0GCSqGSIb3DQEJFDEQHg4AaQBwAGEAQwBlAHIAdDBx BgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUNoEX JcSfUrXJBMADVR3Zh5pipCMwDQYJKoZIhvcNAQELBQADggEBABIwI9wf7O+S2/Ie hXsIiwxGJ5T7SYUguyVoxSKLmKyP9hKvAIJeH5OAz9HnVDAnFMdps/bUhLJiPcEM Jwdx8fd3meGwjB/BG1ewmRyrcjuV1vuDDFiuq7TP7opO311j/OhLcFJYRCX2d9ep zKLwoio0mNNjU7g5MbvhkvjeD6WVxNSbe79Z6+tmRZtTV2SBT5WR2v2YmbtzQYTa 4EgUBa4sKnElmm8Qg+hITvLQBy0lqc/QKw/j4K1mm0s3hpcVhQQWZXsxYr2sSsF1 TB1D7R633DZ455MZ2PxOxf3JfyBUDTVuoTF/bi8azvNiTJqIjUg/X08com2SUPMQ PHFPFT8= -----END NEW CERTIFICATE REQUEST----- CERTMONGER_SPKAC=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9cudrMkI6CPukxaxKgEFImawXxDXIZVx3zX7nxAWY7ITW9bsd9TJF1RO8zA1r4Do+RECSW9DkRbXotJDFSGhOGkv96SWax2a+lXirjxKkL8USvgxpN1Q6SHySN/QTcRiQ7Tt0XowkLFbfYh3lu2O10Ig7E0eGDw3xSozArAkKYJnjUphCiyINe0AaPjL2XNVkHY7zqmJnaNG2UrZxZWyufZYBGbndrZWrVG0WfUh7g2eontVmoDEO8wY9fChgNnWlSo+IXSP+ny60FR2ciFaVA649amD2N+IWr83LcgTv36LhWUH9igjyvVtRapCfMd0BZJW0s0itVhIqtqreN00BAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANFziRk92+d9fEIApFEPmT7zsYf1mHyj/ZWoLnB7XgLEthDV343JDLuyd/YHCrbYn4ov0Q8roSiHEfe/ReuW48ZQ6gpHBL68r4p91PDRN5uzOnOuEAPPx3tE40OiqRsrPNnoDYujxJzrKs07cqgexnwZW3IpanpptTG5QOXm+ChHN/fAthLEkBBFpZfAq6wdRQO8ZT/KP8e2sPdVwldWVqxVV69D7cGjfyRVGm0AQ2GEmocGszp9KIR1B03Ag0NHe5+EYti+fybxZP6Ub+aFHm2prTeWne0izU33Y5Y/mP9rHoqw2hu1ZhqPviJBRYD/df10cnioM9iqokl6WfV6P5Q== CERTMONGER_SPKI=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXLnazJCOgj7pMWsSoBBSJmsF8Q1yGVcd81+58QFmOyE1vW7HfUyRdUTvMwNa+A6PkRAklvQ5EW16LSQxUhoThpL/eklmsdmvpV4q48SpC/FEr4MaTdUOkh8kjf0E3EYkO07dF6MJCxW32Id5btjtdCIOxNHhg8N8UqMwKwJCmCZ41KYQosiDXtAGj4y9lzVZB2O86piZ2jRtlK2cWVsrn2WARm53a2Vq1RtFn1Ie4NnqJ7VZqAxDvMGPXwoYDZ1pUqPiF0j/p8utBUdnIhWlQOuPWpg9jfiFq/Ny3IE79+i4VlB/YoI8r1bUWqQnzHdAWSVtLNIrVYSKraq3jdNAQIDAQAB CERTMONGER_LOCAL_CA_DIR=/var/lib/certmonger/local CERTMONGER_KEY_TYPE=RSA CERTMONGER_CA_NICKNAME=dogtag-ipa-retrieve-agent-submit CERTMONGER_CA_PROFILE=ipaCert CERTMONGER_CERTIFICATE=-----BEGIN CERTIFICATE----- MIIDezCCAmOgAwIBAgIBETANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNU UkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTQw ODA0MTQxNjM3WhcNMTYwNzI0MTQxNjM3WjApMRYwFAYDVQQKEw1URVNUUkVMTS5U RVNUMQ8wDQYDVQQDEwZJUEEgUkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC9cudrMkI6CPukxaxKgEFImawXxDXIZVx3zX7nxAWY7ITW9bsd9TJF1RO8 zA1r4Do+RECSW9DkRbXotJDFSGhOGkv96SWax2a+lXirjxKkL8USvgxpN1Q6SHyS N/QTcRiQ7Tt0XowkLFbfYh3lu2O10Ig7E0eGDw3xSozArAkKYJnjUphCiyINe0Aa PjL2XNVkHY7zqmJnaNG2UrZxZWyufZYBGbndrZWrVG0WfUh7g2eontVmoDEO8wY9 fChgNnWlSo+IXSP+ny60FR2ciFaVA649amD2N+IWr83LcgTv36LhWUH9igjyvVtR apCfMd0BZJW0s0itVhIqtqreN00BAgMBAAGjgZ4wgZswHwYDVR0jBBgwFoAUfdPT 0HY5SVa1tGsUd9OiAGbyiGYwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1o dHRwOi8vcmhlbDY2LW1hc3Rlci50ZXN0cmVsbS50ZXN0OjgwL2NhL29jc3AwDgYD VR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkq hkiG9w0BAQsFAAOCAQEAV1KySE7YrdzGPW55p94y1ouLoLCNy93kKCMEhUvf/4UU do28QqlUApnjODlNrNQXXAHzWLYTNudfLEZOElhT8LezhI+3JT6Y7+lfgzZhznwW IrfmojB78GXz4i5D7n03TlY+TfPcj7jKjqBynYzaJhsOotLx+bPJP9OkXXpW184e 0SDncr14h1vLV2y3fHPLHBm1qXmLFEdz2+wS1aJVV2pFxYWZkousVjedHdtEXQBV XE7cC4kqJUmcPaP04zvVK4Bb1MLvRbjkQYYcYJz94j+Ascn1qiiOifR0gqn2lI71 39FDFZ1TmCjIq0yrJ6VSiLgZ7D3zKQeCjMXSBRMMBA== -----END CERTIFICATE----- [root@rhel66-replica ~]# getcert list -i 20140804135130 Number of certificates and requests being tracked: 8. Request ID '20140804135130': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=IPA RA,O=TESTRELM.TEST expires: 2016-07-24 14:20:32 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes [root@rhel66-replica ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1512.html |