Bug 641155
Summary: | Candlepin should not generate certs that will be rejected by RHSM | ||
---|---|---|---|
Product: | [Community] Candlepin | Reporter: | Mark Sechrest <msechres> |
Component: | candlepin | Assignee: | Bryan Kearney <bkearney> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | John Sefler <jsefler> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 0.5 | CC: | bkearney, whayutin |
Target Milestone: | --- | Keywords: | QA-Closed |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-02-23 21:51:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 639436 |
Description
Mark Sechrest
2010-10-07 21:09:17 UTC
For posterities sake, what data is missing? We can try and recreate it later. Product data was missing, because the cp_pool_products entry was pointing to an eng product that didn't have any content sets mapped. (iirc) I assume that is just one example, tho. I would expect that any validity checks performed by rhsm should have equivalent logic in candlepin. candlepin now throws an exception when no product information is available for encoding during entitlement certificate generation process. fix in sha: 5169319ef31a73926a04b5e0be79f3e944380d6d candlepin's behavior has changed. It generates a certificate even when product information is not available. However, rhsm has been modified to accept entitlement certificates with no product info. Verifying Version... [root@jsefler-onprem01 pki]# rpm -q subscription-manager subscription-manager-0.93.1-1.git.109.d31440b.fc12.i386 [root@jsefler-onprem01 pki]# subscription-manager register --username=testuser1 --password=password --type=person 6a9372a7-06b8-468b-8f77-0e1c8ecdba6f testuser1 [root@jsefler-onprem01 pki]# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ProductName: RHEL Personal ProductId: RH09XYU34 PoolId: ff8080812c771c5c012c771d38470181 Quantity: 5 Expires: 2011-11-22 ProductName: RHEL Personal ProductId: RH09XYU34 PoolId: ff8080812c771c5c012c771d38570183 Quantity: 10 Expires: 2011-11-22 [root@jsefler-onprem01 pki]# subscription-manager subscribe --pool=ff8080812c771c5c012c771d38470181 [root@jsefler-onprem01 pki]# subscription-manager list --consumed +-------------------------------------------+ Consumed Product Subscriptions +-------------------------------------------+ ProductName: RHEL Personal ContractNumber: 39 AccountNumber: 12331131231 SerialNumber: 11290530959739201 Active: True Begins: 2010-11-22 Expires: 2011-11-22 [root@jsefler-onprem01 pki]# ls /etc/pki/entitlement/ 11290530959739201.pem key.pem [root@jsefler-onprem01 pki]# python /usr/share/rhsm/certificate.py /etc/pki/entitlement/11290530959739201.pem /etc/pki/entitlement/11290530959739201.pem RAW: =================================== Certificate: Data: Version: 3 (0x2) Serial Number: 28:1c:ad:97:2e:49:41 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=jsefler-f12-candlepin.usersys.redhat.com, C=US, L=Raleigh Validity Not Before: Nov 23 16:49:19 2010 GMT Not After : Nov 23 23:59:59 2011 GMT Subject: CN=ff8080812c771c5c012c79a3b1590da2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9e:dc:be:0d:4d:48:6e:89:79:52:3c:5c:84:c2: 2d:ae:88:36:73:2c:e1:f1:80:aa:e2:7f:b0:7f:e1: 49:5c:c3:6b:6b:ce:71:59:b7:ba:9b:24:e8:60:58: 75:9d:40:10:39:c7:a1:76:a5:88:ac:f2:f9:1e:54: 83:d4:1a:76:7d:a9:6a:1b:0a:7a:13:d4:98:1d:e3: 6e:53:6f:e1:c9:fb:5a:ff:68:90:7f:2b:75:ac:db: f9:45:27:fc:47:7b:fb:c0:94:d0:6f:5f:aa:a6:b0: d3:cf:d4:f5:37:02:9b:75:36:81:28:72:bd:d1:7f: 0e:8b:b6:3a:6b:fb:88:db:36:1d:ce:99:49:f8:cf: 5b:c6:9c:c7:3c:39:63:fe:4b:7a:2b:2c:b8:9d:eb: bf:39:ca:fa:85:4f:75:64:cb:90:aa:0f:60:3a:67: d7:8e:8e:1e:7e:74:5f:21:d9:68:72:72:54:a5:c4: 78:79:8d:71:85:bc:84:87:d5:5d:e9:5d:e1:e3:c8: 8e:29:65:5c:d3:fd:09:3e:d1:1c:08:3e:ce:00:74: 51:09:d7:dc:f4:bd:a4:bf:34:17:48:2e:a5:37:d0: 52:78:24:f4:76:91:fe:9d:63:ec:dc:91:09:ba:58: 88:e2:33:52:04:b5:d2:07:e5:bc:25:55:7b:d1:4b: d6:2f Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment X509v3 Authority Key Identifier: keyid:E3:E1:7C:33:22:EF:60:27:FD:93:C4:54:FE:28:F4:6F:F8:EE:0D:52 DirName:/CN=jsefler-f12-candlepin.usersys.redhat.com/C=US/L=Raleigh serial:99:EF:2A:7E:23:FE:3E:06 X509v3 Subject Key Identifier: 4F:48:F9:89:A7:36:96:D2:71:65:9D:E4:62:B2:49:D6:A4:9C:23:30 X509v3 Extended Key Usage: TLS Web Client Authentication 1.3.6.1.4.1.2312.9.4.1: RHEL Personal . 1.3.6.1.4.1.2312.9.4.2: . ff8080812c771c5c012c771cec9b00a2 1.3.6.1.4.1.2312.9.4.3: ..RH09XYU34 1.3.6.1.4.1.2312.9.4.5: ..5 1.3.6.1.4.1.2312.9.4.6: ..2010-11-23T00:00:00Z 1.3.6.1.4.1.2312.9.4.7: ..2011-11-23T00:00:00Z 1.3.6.1.4.1.2312.9.4.12: ..0 1.3.6.1.4.1.2312.9.4.10: ..39 1.3.6.1.4.1.2312.9.4.13: ..12331131231 1.3.6.1.4.1.2312.9.4.11: ..1 1.3.6.1.4.1.2312.9.5.1: .$6a9372a7-06b8-468b-8f77-0e1c8ecdba6f Signature Algorithm: sha1WithRSAEncryption a2:80:72:21:22:09:57:d2:78:a0:6f:18:93:bf:76:0d:61:02: 06:87:d0:d0:a6:e7:f6:fc:4f:c2:d0:03:c0:96:cc:76:20:df: b1:6a:56:c9:4c:cb:a0:61:40:aa:1d:e6:07:82:7a:d7:3e:31: 84:e8:a0:e0:5a:33:e1:54:40:2e:27:41:78:06:50:f2:12:8b: 46:54:f4:d0:42:d3:08:fa:94:02:60:ee:f7:be:23:73:2a:7a: e3:b5:f1:34:f7:8b:31:a5:24:a2:bb:6b:de:77:0f:cd:85:93: a8:dc:e7:5f:33:17:e0:02:57:13:8c:c3:48:25:c4:09:20:ef: 95:c7 MODEL: =================================== Serial#: 11290530959739201 Subject (CN): ff8080812c771c5c012c79a3b1590da2 Valid: [True] 2010-11-23 00:00:00+00:00 2011-11-23 00:00:00+00:00 Order { Name ............ = RHEL Personal Number .......... = ff8080812c771c5c012c771cec9b00a2 SKU ............. = RH09XYU34 Subscription .... = None Quantity ........ = 5 Start (Ent) ..... = 2010-11-23T00:00:00Z End (Ent) ....... = 2011-11-23T00:00:00Z Virt Limit ...... = None Socket Limit .... = None Contract ........ = 39 Warning Period .. = 0 Account Number .. = 12331131231 } VERIFIED... As evidenced by looking at the inners of the entitlement cert... Even though there is no product information in the certificate (which happens when a person subscribes to RHEL Personal), the rhsm client accepted the certificate and placed it in /etc/pki/entitlement/ . Moving to VERIFIED |