Bug 1245225

Summary: Asymmetric vault drops traceback when the key is not proper
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: ksiddiqu, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:04:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2015-07-21 14:03:10 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5142

VERSION: 4.2.90.201507201402GIT37b1af9, API_VERSION: 2.146
{{{
-sh-4.3$ openssl genrsa -out mykey.pem 2048; openssl rsa -in mykey.pem -pubout >mykey.pub; ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem
Generating RSA private key, 2048 bit long modulus
.............................+++
...........+++
e is 65537 (0x10001)
writing RSA key
ipa: WARNING: session memcached servers not running
ipa: ERROR: non-public: ValueError: Could not unserialize key data.
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 129, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 643, in forward
    self.api.Command.vault_archive(*args, **opts)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 977, in forward
    encryption_key, public_key=public_key)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 474, in encrypt
    backend=default_backend()
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/serialization.py", line 24, in load_pem_public_key
    return backend.load_pem_public_key(data)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 285, in load_pem_public_key
    return b.load_pem_public_key(data)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 719, in load_pem_public_key
    self._handle_key_loading_error()
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 937, in _handle_key_loading_error
    raise ValueError("Could not unserialize key data.")
ValueError: Could not unserialize key data.
ipa: ERROR: an internal error has occurred
-sh-4.3$ ls -la
total 40
drwxr-xr-x.  4 testuser testuser 4096 Jul 20 11:20 .
drwxr-xr-x.  3 root     root     4096 Jul 16 15:42 ..
-rw-------.  1 testuser testuser 2628 Jul 17 19:30 .bash_history
drwxr-xr-x. 20 testuser testuser 4096 Jul 17 11:59 freeipa
drwxrwxr-x.  4 testuser testuser 4096 Jul 17 10:40 .ipa
-rw-rw-r--.  1 testuser testuser 1679 Jul 20 11:20 mykey.pem
-rw-rw-r--.  1 testuser testuser  451 Jul 20 11:20 mykey.pub
-rw-rw-r--.  1 testuser testuser   11 Jul 20 11:13 password.txt
-rw-------.  1 testuser testuser 1024 Jul 20 11:20 .rnd
-rw-------.  1 testuser testuser 3144 Jul 17 18:56 .viminfo
-sh-4.3$ ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem
ipa: WARNING: session memcached servers not running
ipa: ERROR: vault with name "AsymmetricVault" already exists
-sh-4.3$ ipa vault-find
ipa: WARNING: session memcached servers not running
----------------
4 vaults matched
----------------
  Vault name: AsymmetricVault
  Description: Asymmetric vault
  Type: asymmetric

  Vault name: PrivateVault
  Description: Private vault
  Type: standard

  Vault name: SymmetricVault
  Description: Symmetric vault
  Type: symmetric

  Vault name: SymmetricVault2
  Description: Symmetric vault 2
  Type: symmetric
----------------------------
Number of entries returned 4
----------------------------
}}}
Comment 1 Petr Vobornik 2015-08-13 17:21:32 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/e4dff25838f7a2342779851bd68460080d77683b
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/06d68b447ff62b64a3a6e4a3c565fcf406a457ec
Comment 3 Scott Poore 2015-09-15 19:34:31 UTC 
Verified.

Version ::

ipa-server-4.2.0-9.el7.x86_64

Results ::

[root@master ~]# openssl genrsa -out mykey.pem 2048; openssl rsa -in mykey.pem -pubout >mykey.pub; ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem
Generating RSA private key, 2048 bit long modulus
.............................+++
......................................................................................+++
e is 65537 (0x10001)
writing RSA key
ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data.
Comment 4 errata-xmlrpc 2015-11-19 12:04:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html