Bug 1362312

Summary: ipa vault-retrieve internal error when using the wrong public key
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dkupka, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:59:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
debug output for vault-retrieve with incorrect private-key-file none

Description Scott Poore 2016-08-02 00:08:47 UTC 
Description of problem:

When retrieving an asymmetric vault with the incorrect private key, you see an internal error:

[root@rhel7-1 ~]# ipa vault-retrieve testvault1 --private-key-file=/tmp/key2.prv 
ipa: ERROR: non-public: ValueError: Decryption failed.
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 137, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipaclient/plugins/vault.py", line 993, in forward
    encryption_key = decrypt(encrypted_key, private_key=private_key)
  File "/usr/lib/python2.7/site-packages/ipaclient/plugins/vault.py", line 164, in decrypt
    label=None
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 538, in decrypt
    return _enc_dec_rsa(self._backend, self, ciphertext, padding)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 76, in _enc_dec_rsa
    return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 105, in _enc_dec_rsa_pkey_ctx
    _handle_rsa_enc_dec_error(backend, key)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 151, in _handle_rsa_enc_dec_error
    raise ValueError("Decryption failed.")
ValueError: Decryption failed.
ipa: ERROR: an internal error has occurred


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. generate 2 sets of keys to test with

openssl genrsa -out /tmp/key1.prv 2048
openssl rsa -in /tmp/key1.prv -out /tmp/key1.pub -pubout
openssl genrsa -out /tmp/key2.prv 2048
openssl rsa -in /tmp/key2.prv -out /tmp/key2.pub -pubout

2. Create new vault with some content

ipa vault-add --type=asymmetric testvault1 --public-key-file=/tmp/key1.pub
ipa vault-archive testvault1 --data="U2VjcmV0MTIzCg=="

3.  Attempt to retrieve with the unused key file

ipa vault-retrieve testvault1 --private-key-file=/tmp/key2.prv

Actual results:

Internal error and stack trace shown above

Expected results:

no internal error

Additional info:

Error message from /var/log/httpd/error_log:

[Mon Aug 01 19:05:26.560451 2016] [:error] [pid 5226] ipa: INFO: [jsonserver_session] admin: vault_retrieve_internal/1(u'testvault1', session_key='\\xdb\\xb5\\x10\\x93\\xa3\\xe7\\xb9c\\xa0\\xce@\\xbe\\xdda\\x8a\\xe6\\xa9\\x96\\xfc((\\xe5\\xb4\\x11\\x17W\\t\\xbf\\xa2\\x1c)\\xc6\\x98e\\x19\\xf9G\\xfc\\x9f\\xbb\\x1b\\x9c5\\xdb\\xc9R1\\xa0\\xd4Z\\xb0;\\x1d\\xc4\\xea\\xfeB6>\\x1e\\x8dk\\x11\\xb8\\x91\\xc4\\xfcwl\\x06\\x85.\\xf6\\x89\\x0f\\xa6\\x91\\xe1C"\\x17\\xa4L.\\xf6\\x04\\x8e\\x83\\xfe\\xef\\x07\\x1ca\\x87\\x17>\\x01\\x18\\xe3\\x83G\\xa8\\x93\\xb8\\n(iL\\xc4Ej:\\x17\\xcf/\\xe2&\\xd1\\xf9:GA\\xfe2N\\xf2!\\xf0]\\xfe\\x8d\\xa7\\xc5\\x19"%\\x8c\\xae\\\\\\xc4JS\\xf5Z#\\xff\\x93\\xc5\\x96\\xf6\\xe0\\xbc\\x1e{\\xa5\\x9e}Y\\xc91|\\x17\\xec\\xffo>}\\xb9A\\xb3r\\xb3\\xac\\xd4\\xf3\\xf7\\xa1%\\x83\\xd7\\x1d\\xd0X\\x12C^\\xc9\\xb0\\xe1m\\xac\\xcb\\x00\\x80\\xfa\\xbd\\x17\\xd6\\xfb=\\x159r\\x1a>\\xcb\\x85B~b}0\\x8d\\xcc\\xab4\\xcc\\xdf\\x9aVp\\x97\\xc6\\xd3\\x9b\\xbb>\\x0c-`\\x1dB\\xa2\\xae\\xbc\\xb4\\xecY\\x1d\\xabf_\\xecr81\\x90\\x99\\xcfs\\x19\\xdc\\xea\\xed\\x07L', version=u'2.211'): SUCCESS
Comment 1 Scott Poore 2016-08-02 00:16:11 UTC 
Created attachment 1186578 [details]
debug output for vault-retrieve with incorrect private-key-file
Comment 3 Martin Bašti 2016-08-02 15:01:00 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6160
Comment 4 David Kupka 2016-08-03 11:42:51 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8ab0ad5b9ef59eca7b25a150baeb4a9bf8faa582
Comment 6 Scott Poore 2016-08-05 16:52:37 UTC 
Verified.

Version ::

ipa-server-4.4.0-5.el7.x86_64

Results ::

[root@rhel7-5 ~]# openssl genrsa -out /tmp/key1.prv 2048
Generating RSA private key, 2048 bit long modulus
..................+++
............+++
e is 65537 (0x10001)

[root@rhel7-5 ~]# openssl rsa -in /tmp/key1.prv -out /tmp/key1.pub -pubout
writing RSA key

[root@rhel7-5 ~]# openssl genrsa -out /tmp/key2.prv 2048
Generating RSA private key, 2048 bit long modulus
................+++
....................+++
e is 65537 (0x10001)

[root@rhel7-5 ~]# openssl rsa -in /tmp/key2.prv -out /tmp/key2.pub -pubout
writing RSA key

[root@rhel7-5 ~]# ipa vault-add --type=asymmetric testvault1 --public-key-file=/tmp/key1.pub
------------------------
Added vault "testvault1"
------------------------

[root@rhel7-5 ~]# ipa vault-archive testvault1 --data="U2VjcmV0MTIzCg=="
-------------------------------------
Archived data into vault "testvault1"
-------------------------------------

[root@rhel7-5 ~]# ipa vault-retrieve testvault1 --private-key-file=/tmp/key2.prv
ipa: ERROR: Invalid credentials
[root@rhel7-5 ~]#
Comment 7 Scott Poore 2016-08-05 17:03:41 UTC 
Just to show that retrieve worked:

[root@rhel7-5 ~]# ipa vault-retrieve testvault1 --private-key-file=/tmp/key1.prv
--------------------------------------
Retrieved data from vault "testvault1"
--------------------------------------
  Data: U2VjcmV0MTIzCg==
Comment 9 errata-xmlrpc 2016-11-04 05:59:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html