Bug 1436723

Summary: cert-find does not find all certificates without sizelimit=0
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Michal Reznik <mreznik>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: mreznik, nsoman, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-03-28 13:51:26 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6716

ipa cert-find command does not find arbitrary certificates which were added using {user|host|service|iduseroverride}-cert-add command. 

Steps to reproduce: 
1) Add certificate using user-add-cert command
2) Try to show certificates for user using $ ipa cert-find --users username 
3) No certificates match
4) Try to show certificates for user using $ ipa cert-find --users username --sizelimit=0
5) 1 certificate matches

The same issue (no arbitrary certificates) is also for cert-find without specifying user or any other entity.

Expected result: 
Certificates are found even without --sizelimit=0
Comment 2 Petr Vobornik 2017-03-28 13:51:46 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6716
Comment 3 Petr Vobornik 2017-03-28 13:56:14 UTC 
master:
    6de507c2cad255975665eca6dd6ef7c8f2458d51 cert: do not limit internal searches in cert-find

ipa-4-5:
    6382f9eee335907362a5ccb44b892f59de7d3751 cert: do not limit internal searches in cert-find
Comment 5 Michal Reznik 2017-05-26 14:54:00 UTC 
Verified on:

ipa-server-4.5.0-9.el7.x86_64

1. Install ipa server

ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U

2. add "tester" user

[root@master ~]# ipa user-add tester
First name: test1
Last name: test2
-------------------
Added user "tester"
-------------------
  User login: tester
  First name: test1
  Last name: test2
  Full name: test1 test2
  Display name: test1 test2
  Initials: tt
  Home directory: /home/tester
  GECOS: test1 test2
  Login shell: /bin/sh
  Principal name: tester
  Principal alias: tester
  Email address: tester
  UID: 38400001
  GID: 38400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master ~]#

3. create "tester" user certificate

[root@master ~]# ipa certprofile-show --out smime.cfg caIPAserviceCert
------------------------------------------------
Profile configuration stored in file 'smime.cfg'
------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE
[root@master ~]#
[root@master ~]# vim smime.cfg

<snip>
name=TestUsers
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
profileId=caIPATestUsers
<snip>

[root@master ~]# ipa certprofile-import caIPATestUsers --file smime.cfg   --desc "caIPATestUsers " --store TRUE
----------------------------
Imported profile "caIPATestUsers"
----------------------------
  Profile ID: caIPATestUsers
  Profile description: caIPATestUsers
  Store issued certificates: TRUE

[root@master ~]# ipa group-add tester-users
------------------------
Added group "tester-users"
------------------------
  Group name: tester-users
  GID: 38400003
[root@master ~]#
[root@master ~]# ipa caacl-add testerusers_acl
----------------------------
Added CA ACL "testerusers_acl"
----------------------------
  ACL name: testerusers_acl
  Enabled: TRUE
[root@master ~]#
[root@master ~]# ipa caacl-add-profile testerusers_acl --certprofile caIPATestUsers
  ACL name: testerusers_acl
  Enabled: TRUE
  Profiles: caIPATestUsers
  User Groups: tester-users
-------------------------
Number of members added 1
-------------------------
[root@master ~]#
[root@master ~]# openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
..............................................+++
..................+++
e is 65537 (0x10001)
[root@master ~]#
[root@master ~]# cat ./tester.conf
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "tester"

[ exts ]
subjectAltName=email:tester
[root@master ~]#
[root@master ~]# openssl req -new -key key.pem -out tester.csr -config tester.conf
[root@master ~]#
[root@master ~]# ipa cert-request tester.csr --principal tester --profile-id caIPATestUsers
  Issuing CA: ipa
  Certificate: MIIEAjCCAuqgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI2MTQxNzQxWhcNMTkwNTI3MTQxNzQxWjApMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMQ8wDQYDVQQDDAZ0ZXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk7WqaeWnA+mDCWMLuacxPkjnW2t0B88iH+t21yd621K6BMQaLA6Nah75KbPCTgNe+6gcag4ne5v3nqDDQqCzLhvSEbplFLwkiOdvWqRsws+Bukr4cOlMTCIMOrlp/qig0UXT59LwYI3trOTsyJY9G6L/WE6UcS4zj8xKp1hIgscwT+8tzxOHyZ+ZAGxF2668C5SUZ0FFNBg23xK0N9aoxdw7WJwsUWaXrmYJiYIaU9YA+FMTW4E4XwO0TWtXTuyZipY/liUCPHSZDM19JUlqMDpkEffKJ1qkYwu1OYEQiccfnYCWd7bCrtxHBRqJiwcWtUkGBPcRsarr3Tl6/kCyFAgMBAAGjggEkMIIBIDAfBgNVHSMEGDAWgBRV/JzTzxBocphYfVOIW17gGNQQVTA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTVC83hlijYcpJQkzXcMynZNskGoTANBgkqhkiG9w0BAQsFAAOCAQEAYAuPABeWmHRLs7ZG76OmRRJxvsqM4pt9F6suy94iXk3PckpJlobHWJ0aq5BbkVn5OXkGsaxNn/NesRq1tUwTbxqBvTmbISftLqtQzjRV95UGgAL97cC1YOgaVc0un4J+ZjjD8mgW53QhY4XVsustFlkS2Uf2gc6l2wWGHzYOJ1PQGR+zWoZMsxGExnlbIudk9xxk4Kc0uhvZsva9CUaT0PzkogCfjo0rDGgwSwkY0s8xu59GA8fqMQuvx6rWJ/1QZHBVxfMOIH5fP4eKOcZ4mfl3mfylYv1KneIbKPQUMtZCiWFZrrD4d0mKPm1heJijkZzdOWnesq5DieTN6DKGog==
  Subject: CN=tester,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Fri May 26 14:17:41 2017 UTC
  Not After: Mon May 27 14:17:41 2019 UTC
  Serial number: 11
  Serial number (hex): 0xB
[root@master ~]#
[root@master ~]# ipa user-show tester
  User login: tester
  First name: test1
  Last name: test2
  Home directory: /home/tester
  Login shell: /bin/sh
  Principal name: tester
  Principal alias: tester
  Email address: tester
  UID: 38400004
  GID: 38400004
  Certificate: MIIEAjCCAuqgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI2MTQxNzQxWhcNMTkwNTI3MTQxNzQxWjApMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMQ8wDQYDVQQDDAZ0ZXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk7WqaeWnA+mDCWMLuacxPkjnW2t0B88iH+t21yd621K6BMQaLA6Nah75KbPCTgNe+6gcag4ne5v3nqDDQqCzLhvSEbplFLwkiOdvWqRsws+Bukr4cOlMTCIMOrlp/qig0UXT59LwYI3trOTsyJY9G6L/WE6UcS4zj8xKp1hIgscwT+8tzxOHyZ+ZAGxF2668C5SUZ0FFNBg23xK0N9aoxdw7WJwsUWaXrmYJiYIaU9YA+FMTW4E4XwO0TWtXTuyZipY/liUCPHSZDM19JUlqMDpkEffKJ1qkYwu1OYEQiccfnYCWd7bCrtxHBRqJiwcWtUkGBPcRsarr3Tl6/kCyFAgMBAAGjggEkMIIBIDAfBgNVHSMEGDAWgBRV/JzTzxBocphYfVOIW17gGNQQVTA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTVC83hlijYcpJQkzXcMynZNskGoTANBgkqhkiG9w0BAQsFAAOCAQEAYAuPABeWmHRLs7ZG76OmRRJxvsqM4pt9F6suy94iXk3PckpJlobHWJ0aq5BbkVn5OXkGsaxNn/NesRq1tUwTbxqBvTmbISftLqtQzjRV95UGgAL97cC1YOgaVc0un4J+ZjjD8mgW53QhY4XVsustFlkS2Uf2gc6l2wWGHzYOJ1PQGR+zWoZMsxGExnlbIudk9xxk4Kc0uhvZsva9CUaT0PzkogCfjo0rDGgwSwkY0s8xu59GA8fqMQuvx6rWJ/1QZHBVxfMOIH5fP4eKOcZ4mfl3mfylYv1KneIbKPQUMtZCiWFZrrD4d0mKPm1heJijkZzdOWnesq5DieTN6DKGog==
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master ~]#
[root@master ~]# ipa cert-find --users tester
---------------------
1 certificate matched
---------------------
  Issuing CA: ipa
  Subject: CN=tester,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Fri May 26 10:17:41 2017 UTC
  Not After: Mon May 27 10:17:41 2019 UTC
  Serial number: 11
  Serial number (hex): 0xB
  Status: VALID
  Revoked: False
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]#
Comment 6 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304