Bug 641155
| Summary: | Candlepin should not generate certs that will be rejected by RHSM | ||
|---|---|---|---|
| Product: | [Community] Candlepin | Reporter: | Mark Sechrest <msechres> |
| Component: | candlepin | Assignee: | Bryan Kearney <bkearney> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | John Sefler <jsefler> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | 0.5 | CC: | bkearney, whayutin |
| Target Milestone: | --- | Keywords: | QA-Closed |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-23 21:51:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 639436 | ||
|
Description
Mark Sechrest
2010-10-07 21:09:17 UTC
For posterities sake, what data is missing? We can try and recreate it later. Product data was missing, because the cp_pool_products entry was pointing to an eng product that didn't have any content sets mapped. (iirc) I assume that is just one example, tho. I would expect that any validity checks performed by rhsm should have equivalent logic in candlepin. candlepin now throws an exception when no product information is available for encoding during entitlement certificate generation process. fix in sha: 5169319ef31a73926a04b5e0be79f3e944380d6d candlepin's behavior has changed. It generates a certificate even when product information is not available. However, rhsm has been modified to accept entitlement certificates with no product info. Verifying Version...
[root@jsefler-onprem01 pki]# rpm -q subscription-manager
subscription-manager-0.93.1-1.git.109.d31440b.fc12.i386
[root@jsefler-onprem01 pki]# subscription-manager register --username=testuser1 --password=password --type=person
6a9372a7-06b8-468b-8f77-0e1c8ecdba6f testuser1
[root@jsefler-onprem01 pki]# subscription-manager list --available
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL Personal
ProductId: RH09XYU34
PoolId: ff8080812c771c5c012c771d38470181
Quantity: 5
Expires: 2011-11-22
ProductName: RHEL Personal
ProductId: RH09XYU34
PoolId: ff8080812c771c5c012c771d38570183
Quantity: 10
Expires: 2011-11-22
[root@jsefler-onprem01 pki]# subscription-manager subscribe --pool=ff8080812c771c5c012c771d38470181
[root@jsefler-onprem01 pki]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: RHEL Personal
ContractNumber: 39
AccountNumber: 12331131231
SerialNumber: 11290530959739201
Active: True
Begins: 2010-11-22
Expires: 2011-11-22
[root@jsefler-onprem01 pki]# ls /etc/pki/entitlement/
11290530959739201.pem key.pem
[root@jsefler-onprem01 pki]# python /usr/share/rhsm/certificate.py /etc/pki/entitlement/11290530959739201.pem
/etc/pki/entitlement/11290530959739201.pem
RAW:
===================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
28:1c:ad:97:2e:49:41
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=jsefler-f12-candlepin.usersys.redhat.com, C=US, L=Raleigh
Validity
Not Before: Nov 23 16:49:19 2010 GMT
Not After : Nov 23 23:59:59 2011 GMT
Subject: CN=ff8080812c771c5c012c79a3b1590da2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9e:dc:be:0d:4d:48:6e:89:79:52:3c:5c:84:c2:
2d:ae:88:36:73:2c:e1:f1:80:aa:e2:7f:b0:7f:e1:
49:5c:c3:6b:6b:ce:71:59:b7:ba:9b:24:e8:60:58:
75:9d:40:10:39:c7:a1:76:a5:88:ac:f2:f9:1e:54:
83:d4:1a:76:7d:a9:6a:1b:0a:7a:13:d4:98:1d:e3:
6e:53:6f:e1:c9:fb:5a:ff:68:90:7f:2b:75:ac:db:
f9:45:27:fc:47:7b:fb:c0:94:d0:6f:5f:aa:a6:b0:
d3:cf:d4:f5:37:02:9b:75:36:81:28:72:bd:d1:7f:
0e:8b:b6:3a:6b:fb:88:db:36:1d:ce:99:49:f8:cf:
5b:c6:9c:c7:3c:39:63:fe:4b:7a:2b:2c:b8:9d:eb:
bf:39:ca:fa:85:4f:75:64:cb:90:aa:0f:60:3a:67:
d7:8e:8e:1e:7e:74:5f:21:d9:68:72:72:54:a5:c4:
78:79:8d:71:85:bc:84:87:d5:5d:e9:5d:e1:e3:c8:
8e:29:65:5c:d3:fd:09:3e:d1:1c:08:3e:ce:00:74:
51:09:d7:dc:f4:bd:a4:bf:34:17:48:2e:a5:37:d0:
52:78:24:f4:76:91:fe:9d:63:ec:dc:91:09:ba:58:
88:e2:33:52:04:b5:d2:07:e5:bc:25:55:7b:d1:4b:
d6:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Authority Key Identifier:
keyid:E3:E1:7C:33:22:EF:60:27:FD:93:C4:54:FE:28:F4:6F:F8:EE:0D:52
DirName:/CN=jsefler-f12-candlepin.usersys.redhat.com/C=US/L=Raleigh
serial:99:EF:2A:7E:23:FE:3E:06
X509v3 Subject Key Identifier:
4F:48:F9:89:A7:36:96:D2:71:65:9D:E4:62:B2:49:D6:A4:9C:23:30
X509v3 Extended Key Usage:
TLS Web Client Authentication
1.3.6.1.4.1.2312.9.4.1:
RHEL Personal .
1.3.6.1.4.1.2312.9.4.2:
. ff8080812c771c5c012c771cec9b00a2
1.3.6.1.4.1.2312.9.4.3:
..RH09XYU34
1.3.6.1.4.1.2312.9.4.5:
..5
1.3.6.1.4.1.2312.9.4.6:
..2010-11-23T00:00:00Z
1.3.6.1.4.1.2312.9.4.7:
..2011-11-23T00:00:00Z
1.3.6.1.4.1.2312.9.4.12:
..0
1.3.6.1.4.1.2312.9.4.10:
..39
1.3.6.1.4.1.2312.9.4.13:
..12331131231
1.3.6.1.4.1.2312.9.4.11:
..1
1.3.6.1.4.1.2312.9.5.1:
.$6a9372a7-06b8-468b-8f77-0e1c8ecdba6f
Signature Algorithm: sha1WithRSAEncryption
a2:80:72:21:22:09:57:d2:78:a0:6f:18:93:bf:76:0d:61:02:
06:87:d0:d0:a6:e7:f6:fc:4f:c2:d0:03:c0:96:cc:76:20:df:
b1:6a:56:c9:4c:cb:a0:61:40:aa:1d:e6:07:82:7a:d7:3e:31:
84:e8:a0:e0:5a:33:e1:54:40:2e:27:41:78:06:50:f2:12:8b:
46:54:f4:d0:42:d3:08:fa:94:02:60:ee:f7:be:23:73:2a:7a:
e3:b5:f1:34:f7:8b:31:a5:24:a2:bb:6b:de:77:0f:cd:85:93:
a8:dc:e7:5f:33:17:e0:02:57:13:8c:c3:48:25:c4:09:20:ef:
95:c7
MODEL:
===================================
Serial#: 11290530959739201
Subject (CN): ff8080812c771c5c012c79a3b1590da2
Valid: [True]
2010-11-23 00:00:00+00:00
2011-11-23 00:00:00+00:00
Order {
Name ............ = RHEL Personal
Number .......... = ff8080812c771c5c012c771cec9b00a2
SKU ............. = RH09XYU34
Subscription .... = None
Quantity ........ = 5
Start (Ent) ..... = 2010-11-23T00:00:00Z
End (Ent) ....... = 2011-11-23T00:00:00Z
Virt Limit ...... = None
Socket Limit .... = None
Contract ........ = 39
Warning Period .. = 0
Account Number .. = 12331131231
}
VERIFIED... As evidenced by looking at the inners of the entitlement cert... Even though there is no product information in the certificate (which happens when a person subscribes to RHEL Personal), the rhsm client accepted the certificate and placed it in /etc/pki/entitlement/ .
Moving to VERIFIED
|