Bug 641155

Summary: Candlepin should not generate certs that will be rejected by RHSM
Product: [Community] Candlepin Reporter: Mark Sechrest <msechres>
Component: candlepinAssignee: Bryan Kearney <bkearney>
Status: CLOSED CURRENTRELEASE QA Contact: John Sefler <jsefler>
Severity: high Docs Contact:
Priority: low    
Version: 0.5CC: bkearney, whayutin
Target Milestone: ---Keywords: QA-Closed
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-23 21:51:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 639436    

Description Mark Sechrest 2010-10-07 21:09:17 UTC
Description of problem: In https://bugzilla.redhat.com/show_bug.cgi?id=641129, it was revealed that candlepin will generate certs for skus that are missing product data. Cert creation should fail in this case. We should never generate a cert that the client will not accept.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Bryan Kearney 2010-10-08 13:11:23 UTC
For posterities sake, what data is missing? We can try and recreate it later.

Comment 2 Mark Sechrest 2010-10-11 17:40:19 UTC
Product data was missing, because the cp_pool_products entry was pointing to an eng product that didn't have any content sets mapped. (iirc)

I assume that is just one example, tho. I would expect that any validity checks performed by rhsm should have equivalent logic in candlepin.

Comment 3 Ajay Kumar Nadathur Sreenivasan 2010-11-11 19:18:41 UTC
candlepin now throws an exception when no product information is available for encoding during entitlement certificate generation process.
fix in sha: 5169319ef31a73926a04b5e0be79f3e944380d6d

Comment 4 Ajay Kumar Nadathur Sreenivasan 2010-11-23 17:06:33 UTC
candlepin's behavior has changed. It generates a certificate even when product information is not available. However, rhsm has been modified to accept entitlement certificates with no product info.

Comment 5 John Sefler 2010-11-23 17:14:34 UTC
Verifying Version...
[root@jsefler-onprem01 pki]# rpm -q subscription-manager
subscription-manager-0.93.1-1.git.109.d31440b.fc12.i386



[root@jsefler-onprem01 pki]# subscription-manager register --username=testuser1 --password=password --type=person
6a9372a7-06b8-468b-8f77-0e1c8ecdba6f testuser1
[root@jsefler-onprem01 pki]# subscription-manager list --available
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+


ProductName:       	RHEL Personal            
ProductId:         	RH09XYU34                
PoolId:            	ff8080812c771c5c012c771d38470181
Quantity:          	5                        
Expires:           	2011-11-22               


ProductName:       	RHEL Personal            
ProductId:         	RH09XYU34                
PoolId:            	ff8080812c771c5c012c771d38570183
Quantity:          	10                       
Expires:           	2011-11-22               

[root@jsefler-onprem01 pki]# subscription-manager subscribe --pool=ff8080812c771c5c012c771d38470181
[root@jsefler-onprem01 pki]# subscription-manager list --consumed
+-------------------------------------------+
    Consumed Product Subscriptions
+-------------------------------------------+


ProductName:        	RHEL Personal            
ContractNumber:     	39                       
AccountNumber:      	12331131231              
SerialNumber:       	11290530959739201        
Active:             	True                     
Begins:             	2010-11-22               
Expires:            	2011-11-22               


[root@jsefler-onprem01 pki]# ls /etc/pki/entitlement/
11290530959739201.pem  key.pem              
[root@jsefler-onprem01 pki]# python /usr/share/rhsm/certificate.py /etc/pki/entitlement/11290530959739201.pem 
/etc/pki/entitlement/11290530959739201.pem
RAW:
===================================
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            28:1c:ad:97:2e:49:41
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=jsefler-f12-candlepin.usersys.redhat.com, C=US, L=Raleigh
        Validity
            Not Before: Nov 23 16:49:19 2010 GMT
            Not After : Nov 23 23:59:59 2011 GMT
        Subject: CN=ff8080812c771c5c012c79a3b1590da2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9e:dc:be:0d:4d:48:6e:89:79:52:3c:5c:84:c2:
                    2d:ae:88:36:73:2c:e1:f1:80:aa:e2:7f:b0:7f:e1:
                    49:5c:c3:6b:6b:ce:71:59:b7:ba:9b:24:e8:60:58:
                    75:9d:40:10:39:c7:a1:76:a5:88:ac:f2:f9:1e:54:
                    83:d4:1a:76:7d:a9:6a:1b:0a:7a:13:d4:98:1d:e3:
                    6e:53:6f:e1:c9:fb:5a:ff:68:90:7f:2b:75:ac:db:
                    f9:45:27:fc:47:7b:fb:c0:94:d0:6f:5f:aa:a6:b0:
                    d3:cf:d4:f5:37:02:9b:75:36:81:28:72:bd:d1:7f:
                    0e:8b:b6:3a:6b:fb:88:db:36:1d:ce:99:49:f8:cf:
                    5b:c6:9c:c7:3c:39:63:fe:4b:7a:2b:2c:b8:9d:eb:
                    bf:39:ca:fa:85:4f:75:64:cb:90:aa:0f:60:3a:67:
                    d7:8e:8e:1e:7e:74:5f:21:d9:68:72:72:54:a5:c4:
                    78:79:8d:71:85:bc:84:87:d5:5d:e9:5d:e1:e3:c8:
                    8e:29:65:5c:d3:fd:09:3e:d1:1c:08:3e:ce:00:74:
                    51:09:d7:dc:f4:bd:a4:bf:34:17:48:2e:a5:37:d0:
                    52:78:24:f4:76:91:fe:9d:63:ec:dc:91:09:ba:58:
                    88:e2:33:52:04:b5:d2:07:e5:bc:25:55:7b:d1:4b:
                    d6:2f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Authority Key Identifier: 
                keyid:E3:E1:7C:33:22:EF:60:27:FD:93:C4:54:FE:28:F4:6F:F8:EE:0D:52
                DirName:/CN=jsefler-f12-candlepin.usersys.redhat.com/C=US/L=Raleigh
                serial:99:EF:2A:7E:23:FE:3E:06

            X509v3 Subject Key Identifier: 
                4F:48:F9:89:A7:36:96:D2:71:65:9D:E4:62:B2:49:D6:A4:9C:23:30
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            1.3.6.1.4.1.2312.9.4.1: 
RHEL Personal   .
            1.3.6.1.4.1.2312.9.4.2: 
                . ff8080812c771c5c012c771cec9b00a2
            1.3.6.1.4.1.2312.9.4.3: 
                ..RH09XYU34
            1.3.6.1.4.1.2312.9.4.5: 
                ..5
            1.3.6.1.4.1.2312.9.4.6: 
                ..2010-11-23T00:00:00Z
            1.3.6.1.4.1.2312.9.4.7: 
                ..2011-11-23T00:00:00Z
            1.3.6.1.4.1.2312.9.4.12: 
                ..0
            1.3.6.1.4.1.2312.9.4.10: 
                ..39
            1.3.6.1.4.1.2312.9.4.13: 
                ..12331131231
            1.3.6.1.4.1.2312.9.4.11: 
                ..1
            1.3.6.1.4.1.2312.9.5.1: 
                .$6a9372a7-06b8-468b-8f77-0e1c8ecdba6f
    Signature Algorithm: sha1WithRSAEncryption
        a2:80:72:21:22:09:57:d2:78:a0:6f:18:93:bf:76:0d:61:02:
        06:87:d0:d0:a6:e7:f6:fc:4f:c2:d0:03:c0:96:cc:76:20:df:
        b1:6a:56:c9:4c:cb:a0:61:40:aa:1d:e6:07:82:7a:d7:3e:31:
        84:e8:a0:e0:5a:33:e1:54:40:2e:27:41:78:06:50:f2:12:8b:
        46:54:f4:d0:42:d3:08:fa:94:02:60:ee:f7:be:23:73:2a:7a:
        e3:b5:f1:34:f7:8b:31:a5:24:a2:bb:6b:de:77:0f:cd:85:93:
        a8:dc:e7:5f:33:17:e0:02:57:13:8c:c3:48:25:c4:09:20:ef:
        95:c7

MODEL:
===================================
Serial#: 11290530959739201
Subject (CN): ff8080812c771c5c012c79a3b1590da2
Valid: [True] 
	2010-11-23 00:00:00+00:00
	2011-11-23 00:00:00+00:00

Order {
	Name ............ = RHEL Personal
	Number .......... = ff8080812c771c5c012c771cec9b00a2
	SKU ............. = RH09XYU34
	Subscription .... = None
	Quantity ........ = 5
	Start (Ent) ..... = 2010-11-23T00:00:00Z
	End (Ent) ....... = 2011-11-23T00:00:00Z
	Virt Limit ...... = None
	Socket Limit .... = None
	Contract ........ = 39
	Warning Period .. = 0
	Account Number .. = 12331131231
}


VERIFIED...  As evidenced by looking at the inners of the entitlement cert... Even though there is no product information in the certificate (which happens when a person subscribes to RHEL Personal), the rhsm client accepted the certificate and placed it in /etc/pki/entitlement/ .

Moving to VERIFIED