Bug 1032760

Summary: Certmonger crashes when trying to decode certificate with invalid data in header
Product: Red Hat Enterprise Linux 6 Reporter: Jr Aquino <jr.aquino>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact:
Priority: medium    
Version: 6.3CC: arubin, dpal, jgalipea, kchamart, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://fedorahosted.org/certmonger/ticket/22
Whiteboard:
Fixed In Version: certmonger-0.75.2-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1033333 (view as bug list) Environment:
Last Closed: 2014-10-14 07:12:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1033333, 1061410    

Description Jr Aquino 2013-11-20 19:19:26 UTC 
Description of problem:
dogtag-ipa-retrieve-agent-submit imports ipalib.x509, which imports ipapython.ipautil, which imports readline, which prints the control sequence ^[[?1034h

This causes the certifcate that certmonger is handling to be corrupt, which in turn blows up certmonger.

Version-Release number of selected component (if applicable):
libipa_hbac-1.9.2-82.10.el6_4.x86_64
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
libipa_hbac-python-1.9.2-82.10.el6_4.x86_64
ipa-server-3.0.0-26.el6_4.4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-3.0.0-26.el6_4.4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-libs-2.6.6-37.el6_4.x86_64

Steps to Reproduce:
1. getcert resubmit -i <id>
2. wait for certmonger

Actual results:
Certmonger coredumps

Expected results:
Certmonger should resubmit and renew the certificate

Additional info:
Comment 2 Nalin Dahyabhai 2013-11-21 14:00:20 UTC 
We get here through a combination of three things:

* When running an external enrollment (or in this case, "enrollment") helper, certmonger isn't clearing the environment.  In particular, when TERM is set to an xterm-like terminal (which happens when the daemon inherits that value due to being started as a child of a shell), the IPA helper's use of the framework (as noted in the description) ends up pulling in the readline module, which outputs a control sequence before it starts.  The development tree now includes a candidate fix for this.

* When reading the certificate that's output by the helper when it returns success, garbage that precedes or follows the certificate isn't stripped out.  While this isn't something that the docs say helpers can expect the daemon to do, for this case we could work around it.  The development tree does this now, but it's only a bandage, and doesn't cover other 

* When the daemon attempts to save the certificate value, which includes noise, it fails.  The state machine hits an assertion failure when it subsequently tries again to save the certificate.  The development tree now includes a fix to give it the behavior which is asserted.

At minimum we'd need to pull in the changes for the first and third parts.
Comment 3 Nalin Dahyabhai 2014-06-17 18:36:28 UTC 
These were originally fixed in upstream's 0.69 release, and we're rebasing to a later version, so these changes are incorporated there.
Comment 5 Kaleem 2014-08-04 12:01:56 UTC 
Verified.

certmonger version:
===================
[root@rhel66-replica ~]# rpm -q certmonger
certmonger-0.75.8-1.el6.x86_64
[root@rhel66-replica ~]#

Verification steps taken from https://bugzilla.redhat.com/show_bug.cgi?id=1033333#c5
=========================================================

[root@rhel66-replica ~]# cat /etc/sysconfig/certmonger 
TERM=xterm-256color
[root@rhel66-replica ~]# getcert resubmit -i 20140804135130
Resubmitting "20140804135130" to "dogtag-ipa-retrieve-agent-submit".
[root@rhel66-replica ~]# ps -eaf|grep agent
root      7492  7026  0 19:50 ?        00:00:00 /usr/bin/python -E /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
root      7496  1657  0 19:51 pts/0    00:00:00 grep agent
[root@rhel66-replica ~]# strings /proc/7492/environ|grep TERM
TERM=dumb
[root@rhel66-replica ~]# strings /proc/7492/environ
HOME=/var/run/certmonger
PATH=/usr/bin:/bin:/usr/sbin:/sbin
SHELL=/bin/sh
TERM=dumb
TMPDIR=/var/run/certmonger
CERTMONGER_REQ_SUBJECT=CN=IPA RA,O=TESTRELM.TEST
CERTMONGER_OPERATION=SUBMIT
CERTMONGER_CSR=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDATCCAekCAQAwKTEWMBQGA1UEChMNVEVTVFJFTE0uVEVTVDEPMA0GA1UEAxMG
SVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXLnazJCOgj7
pMWsSoBBSJmsF8Q1yGVcd81+58QFmOyE1vW7HfUyRdUTvMwNa+A6PkRAklvQ5EW1
6LSQxUhoThpL/eklmsdmvpV4q48SpC/FEr4MaTdUOkh8kjf0E3EYkO07dF6MJCxW
32Id5btjtdCIOxNHhg8N8UqMwKwJCmCZ41KYQosiDXtAGj4y9lzVZB2O86piZ2jR
tlK2cWVsrn2WARm53a2Vq1RtFn1Ie4NnqJ7VZqAxDvMGPXwoYDZ1pUqPiF0j/p8u
tBUdnIhWlQOuPWpg9jfiFq/Ny3IE79+i4VlB/YoI8r1bUWqQnzHdAWSVtLNIrVYS
Kraq3jdNAQIDAQABoIGSMB0GCSqGSIb3DQEJFDEQHg4AaQBwAGEAQwBlAHIAdDBx
BgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUNoEX
JcSfUrXJBMADVR3Zh5pipCMwDQYJKoZIhvcNAQELBQADggEBABIwI9wf7O+S2/Ie
hXsIiwxGJ5T7SYUguyVoxSKLmKyP9hKvAIJeH5OAz9HnVDAnFMdps/bUhLJiPcEM
Jwdx8fd3meGwjB/BG1ewmRyrcjuV1vuDDFiuq7TP7opO311j/OhLcFJYRCX2d9ep
zKLwoio0mNNjU7g5MbvhkvjeD6WVxNSbe79Z6+tmRZtTV2SBT5WR2v2YmbtzQYTa
4EgUBa4sKnElmm8Qg+hITvLQBy0lqc/QKw/j4K1mm0s3hpcVhQQWZXsxYr2sSsF1
TB1D7R633DZ455MZ2PxOxf3JfyBUDTVuoTF/bi8azvNiTJqIjUg/X08com2SUPMQ
PHFPFT8=
-----END NEW CERTIFICATE REQUEST-----
CERTMONGER_SPKAC=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9cudrMkI6CPukxaxKgEFImawXxDXIZVx3zX7nxAWY7ITW9bsd9TJF1RO8zA1r4Do+RECSW9DkRbXotJDFSGhOGkv96SWax2a+lXirjxKkL8USvgxpN1Q6SHySN/QTcRiQ7Tt0XowkLFbfYh3lu2O10Ig7E0eGDw3xSozArAkKYJnjUphCiyINe0AaPjL2XNVkHY7zqmJnaNG2UrZxZWyufZYBGbndrZWrVG0WfUh7g2eontVmoDEO8wY9fChgNnWlSo+IXSP+ny60FR2ciFaVA649amD2N+IWr83LcgTv36LhWUH9igjyvVtRapCfMd0BZJW0s0itVhIqtqreN00BAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANFziRk92+d9fEIApFEPmT7zsYf1mHyj/ZWoLnB7XgLEthDV343JDLuyd/YHCrbYn4ov0Q8roSiHEfe/ReuW48ZQ6gpHBL68r4p91PDRN5uzOnOuEAPPx3tE40OiqRsrPNnoDYujxJzrKs07cqgexnwZW3IpanpptTG5QOXm+ChHN/fAthLEkBBFpZfAq6wdRQO8ZT/KP8e2sPdVwldWVqxVV69D7cGjfyRVGm0AQ2GEmocGszp9KIR1B03Ag0NHe5+EYti+fybxZP6Ub+aFHm2prTeWne0izU33Y5Y/mP9rHoqw2hu1ZhqPviJBRYD/df10cnioM9iqokl6WfV6P5Q==
CERTMONGER_SPKI=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXLnazJCOgj7pMWsSoBBSJmsF8Q1yGVcd81+58QFmOyE1vW7HfUyRdUTvMwNa+A6PkRAklvQ5EW16LSQxUhoThpL/eklmsdmvpV4q48SpC/FEr4MaTdUOkh8kjf0E3EYkO07dF6MJCxW32Id5btjtdCIOxNHhg8N8UqMwKwJCmCZ41KYQosiDXtAGj4y9lzVZB2O86piZ2jRtlK2cWVsrn2WARm53a2Vq1RtFn1Ie4NnqJ7VZqAxDvMGPXwoYDZ1pUqPiF0j/p8utBUdnIhWlQOuPWpg9jfiFq/Ny3IE79+i4VlB/YoI8r1bUWqQnzHdAWSVtLNIrVYSKraq3jdNAQIDAQAB
CERTMONGER_LOCAL_CA_DIR=/var/lib/certmonger/local
CERTMONGER_KEY_TYPE=RSA
CERTMONGER_CA_NICKNAME=dogtag-ipa-retrieve-agent-submit
CERTMONGER_CA_PROFILE=ipaCert
CERTMONGER_CERTIFICATE=-----BEGIN CERTIFICATE-----
MIIDezCCAmOgAwIBAgIBETANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNU
UkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTQw
ODA0MTQxNjM3WhcNMTYwNzI0MTQxNjM3WjApMRYwFAYDVQQKEw1URVNUUkVMTS5U
RVNUMQ8wDQYDVQQDEwZJUEEgUkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC9cudrMkI6CPukxaxKgEFImawXxDXIZVx3zX7nxAWY7ITW9bsd9TJF1RO8
zA1r4Do+RECSW9DkRbXotJDFSGhOGkv96SWax2a+lXirjxKkL8USvgxpN1Q6SHyS
N/QTcRiQ7Tt0XowkLFbfYh3lu2O10Ig7E0eGDw3xSozArAkKYJnjUphCiyINe0Aa
PjL2XNVkHY7zqmJnaNG2UrZxZWyufZYBGbndrZWrVG0WfUh7g2eontVmoDEO8wY9
fChgNnWlSo+IXSP+ny60FR2ciFaVA649amD2N+IWr83LcgTv36LhWUH9igjyvVtR
apCfMd0BZJW0s0itVhIqtqreN00BAgMBAAGjgZ4wgZswHwYDVR0jBBgwFoAUfdPT
0HY5SVa1tGsUd9OiAGbyiGYwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1o
dHRwOi8vcmhlbDY2LW1hc3Rlci50ZXN0cmVsbS50ZXN0OjgwL2NhL29jc3AwDgYD
VR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkq
hkiG9w0BAQsFAAOCAQEAV1KySE7YrdzGPW55p94y1ouLoLCNy93kKCMEhUvf/4UU
do28QqlUApnjODlNrNQXXAHzWLYTNudfLEZOElhT8LezhI+3JT6Y7+lfgzZhznwW
IrfmojB78GXz4i5D7n03TlY+TfPcj7jKjqBynYzaJhsOotLx+bPJP9OkXXpW184e
0SDncr14h1vLV2y3fHPLHBm1qXmLFEdz2+wS1aJVV2pFxYWZkousVjedHdtEXQBV
XE7cC4kqJUmcPaP04zvVK4Bb1MLvRbjkQYYcYJz94j+Ascn1qiiOifR0gqn2lI71
39FDFZ1TmCjIq0yrJ6VSiLgZ7D3zKQeCjMXSBRMMBA==
-----END CERTIFICATE-----
[root@rhel66-replica ~]# getcert list -i 20140804135130
Number of certificates and requests being tracked: 8.
Request ID '20140804135130':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
	CA: dogtag-ipa-retrieve-agent-submit
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2016-07-24 14:20:32 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/lib64/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
[root@rhel66-replica ~]#
Comment 6 errata-xmlrpc 2014-10-14 07:12:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1512.html