Bug 1371479

Summary: cert-find --all does not show information about revocation
Product: Red Hat Enterprise Linux 7 Reporter: Martin Bašti <mbasti>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Ganna Kaihorodova <gkaihoro>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: high    
Version: 7.3CC: apetrova, ipa-qe, jcholast, jhrozek, jreznik, mkolaja, nsoman, ppicka, pvoborni, pvomacka, rcritten, spoore, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-13.el7 Doc Type: Known Issue
Doc Text:
The IdM web UI does not correctly recognize the status of a revoked certificate The Identity Management (IdM) web UI is currently unable to determine whether a certificate has been revoked. As a consequence: * The `Revoked` sign is not displayed when viewing the certificate from the user, service, or host details page. * The `Revoke` action is still available from the details page. Attempting to revoke an already revoked certificate results in an error dialog. * The `Remove Hold` button is always disabled even if the certificate has been revoked because of Certificate Hold (revocation reason 6).
Story Points: ---
Clone Of:
: 1389252 (view as bug list) Environment:
Last Closed: 2017-08-01 09:39:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1389252    
Attachments:
Description Flags
Verification for bug "cert-find --all does not show information about revocation"
none
verification screenshot for webUI part of the bug
none
verification screenshot #2 for webUI part of the bug none

Description Martin Bašti 2016-08-30 10:04:01 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6269

Version: 4.4.0.201608262125GITfbc9179

Cert-find with --all option stopped to show information whether certificate is revoked and the reason of revocation. Affects CLI and API. 

These information are needed to correctly disable and enable Revoke and Remove Hold buttons on user/service/host details pages in WebUI.

Comment 1 Martin Bašti 2016-08-30 10:05:10 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/22d5f579bbd8bb452cf1bf620294ab6ade6e7c47

Comment 5 Scott Poore 2016-09-16 16:47:44 UTC
I see revoked but, I don't see a reason.

This user was revoked with reason 6 (certificateHold)

[root@master ~]# ipa cert-find --all --subject="certuser6"
---------------------
1 certificate matched
---------------------
  Certificate: MIID+zCCAuOgAwIBAgIBITANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkxNjE2MzQ0MFoXDTE4MDkxNzE2MzQ0MFowJzERMA8GA1UECgwISVBBLlRFU1QxEjAQBgNVBAMMCWNlcnR1c2VyNjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANP+2OaUy+yY9oHiDI7Y/0vvVbLOoSibqBxKACkioAor60hacKQ6U6FRfkf+RFLk2mZC1sZujQQTV5coZM2iaw6R+EoUSU9iBnzYN28dg4mtANs7LcSI30nC/GKfKBonIJxTSFJzRO9McQsyuOZpASpyTXmK8q3jIHesbt+YIiaFOiHg0lEp8YwC9BXDfpsddPHUGSpKTmahfsA+SnmfAHvMPB9By4qG+l+mFIKhoc7A4GC+bagY0gInJypVixyGHaFHAISj6EmcoNA+Jt9s+7AVlhVOLNWwiX/kBtHBTHjHZ7MnQSSFHJetO5a6qxgT1WozMnB++ol+MyTeUx6NE2kCAwEAAaOCASQwggEgMB8GA1UdIwQYMBaAFHd7AWUYXj4zbNHmYYZgzTb1jQu8MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYsaHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFGG94ybYfpzIfsdKmNbkS2MGUdF9MA0GCSqGSIb3DQEBCwUAA4IBAQBdXvmzwChyPlksQXH8VSkqXLEILgqcoa+ntqFyO+wWbgBr/Uf6lcC+f17RuGyahDMr7WfbwHi4tZZxk8UkUwdC3uyaFom1Zvshjkdm3D5RTfFfZAulX2TbzNQnsfR5q51TuYYpvqz5Ed7e9AnHRvMd36Qkog21VGFmoC13TIvD6SzhCtCnFUUR/HViUeSuUlBipV7CVBqfsYGQvDvQd9cOGwesmsq0kIYF++edYzN/pOV5tW9QR6gNEu9jbup3xm9kZyElCb/WGsV5ugtyAEGyCq7Ny6EI4VLtSB0AEb8tvBGuZj2hnEQ+lCR40X+QINkAelZ7rWmjwAEoZalaFUdL
  Subject: CN=certuser6,O=IPA.TEST
  Issuer: CN=Certificate Authority,O=IPA.TEST
  Not Before: Fri Sep 16 16:34:40 2016 UTC
  Not After: Mon Sep 17 16:34:40 2018 UTC
  Fingerprint (MD5): 54:99:de:e6:ae:ad:17:fc:0f:e2:98:d9:f2:8a:70:f4
  Fingerprint (SHA1): 61:41:b9:01:57:e2:d4:7c:f5:bd:af:1d:12:06:b1:9c:83:d1:85:8b
  Serial number: 33
  Serial number (hex): 0x21
  Status: REVOKED
  Revoked: True
  Owner user: certuser6
----------------------------
Number of entries returned 1
----------------------------


I can remove the hold:

[root@master ~]#  ipa cert-remove-hold 33
  Unrevoked: True


But I cannot tell from cert-find what the reason is.  From the initial bug description that should be added as well, right?

Comment 6 Scott Poore 2016-09-19 13:30:20 UTC
Petr,

Can you help with this?  This should be showing the reason too right?

Thanks,
Scott

Comment 7 Petr Vobornik 2016-09-19 15:01:13 UTC
Pavel, the original bug description talks about revocation reason, but the fix doesn't touch it. Was this bug about it?

Comment 8 Pavel Vomacka 2016-09-19 15:05:22 UTC
Yes, it was about the information whether bug is revoked and if it is then what is the reason. The revocation reason is needed.

Comment 9 Scott Poore 2016-09-19 18:33:54 UTC
Moving back to assigned since it does look like revocation reason should be listed.

Comment 22 Ganna Kaihorodova 2017-05-17 13:45:37 UTC
Created attachment 1279694 [details]
Verification for bug "cert-find --all does not show information about revocation"

Comment 23 Ganna Kaihorodova 2017-05-17 13:48:01 UTC
Created attachment 1279695 [details]
verification screenshot for webUI part of the bug

Comment 24 Ganna Kaihorodova 2017-05-17 13:49:26 UTC
Created attachment 1279696 [details]
verification screenshot #2 for webUI part of the bug

Comment 25 errata-xmlrpc 2017-08-01 09:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304