Bug 735226

Summary: subscription-manager import should fail when there is no key bundled in the import file
Product: Red Hat Enterprise Linux 6 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: Bryan Kearney <bkearney>
Status: CLOSED ERRATA QA Contact: John Sefler <jsefler>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.2CC: skallesh, spandey
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 17:23:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 682238, 743047    

Description John Sefler 2011-09-01 20:33:30 UTC 
Description of problem:
Originally, the import function was designed to only import an entitlement cert. Later after the fix for Bug 712980, the import function was redesigned to import a file containing both the entitlement cert and the key concatenated together.  The problem now is that the import function still accepts import files containing only the cert without the key.  The import should be blocked as demonstrated below...


Version-Release number of selected component (if applicable):
[root@jsefler-onprem-62server tmp]# rpm -q subscription-manager
subscription-manager-0.96.8-1.git.0.125eb68.el6.x86_64


Steps to Reproduce:

[root@jsefler-onprem-62server tmp]# rm -f /etc/pki/entitlement/*
[root@jsefler-onprem-62server tmp]# cat /tmp/importEntitlementsDir/8445775706013584472.pem
-----BEGIN CERTIFICATE-----
MIIJajCCCNOgAwIBAgIIdTVsQcmQTFgwDQYJKoZIhvcNAQEFBQAwVzE2MDQGA1UE
AwwtanNlZmxlci1vbnByZW0tNjJjYW5kbGVwaW4udXNlcnN5cy5yZWRoYXQuY29t
MQswCQYDVQQGEwJVUzEQMA4GA1UEBwwHUmFsZWlnaDAeFw0xMTA3MjkwNDAwMDBa
Fw0xMjA5MjgwNDAwMDBaMCsxKTAnBgNVBAMTIDhhOTBmOGM2MzIxZDQ1YWMwMTMy
MjFjMzViZTcxNmQwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyxRj
DyObQjD8yhqyhpXxnKL+doOfG3JDadQwHowKviRXxx5/P3c7+g9C63eX8H1Cj+gn
ovhOOjAJT0qdHVGenLRYSBi4QVe90raYOKI5K3+9ar9fcN+uzv+bRr4QpqzfLmHA
EFxRv2nTah1afH4f0/6FPpz0w5+VkMLyU7j9FyrGIqaUwzq+Ky5HAyqEEDfUofo1
FKR//OXtun0JAs2OMovTIGdSNNLLr/ZAXNvU+y/L5unxKHpH0FVwrswX5SwMq/8P
wvaefCgxF8ezYeV4OpnSfhPnwkVRlA6Hov6koHK65hO8UiCYf4KqnPUnbOUB8+Yh
aWZCSA5tuTwRf3cEqwIDAQABo4IG5TCCBuEwEQYJYIZIAYb4QgEBBAQDAgWgMAsG
A1UdDwQEAwIEsDCBiAYDVR0jBIGAMH6AFHASSeg7tMpQ1PiT8h+YyqzjUL30oVuk
WTBXMTYwNAYDVQQDDC1qc2VmbGVyLW9ucHJlbS02MmNhbmRsZXBpbi51c2Vyc3lz
LnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdSYWxlaWdoggkAlJIo
/y23kDYwHQYDVR0OBBYEFGuMccQchm+hqbdaSadchZjH+nKFMBMGA1UdJQQMMAoG
CCsGAQUFBwMCMDAGESsGAQQBkggJAZbesYPpgAMBBBsMGUF3ZXNvbWUgT1MgZm9y
IHBwYzY0IEJpdHMwHAYRKwYBBAGSCAkBlt6xg+mAAwMEBwwFcHBjNjQwGwYRKwYB
BAGSCAkBlt6xg+mAAwIEBgwEMy4xMTAVBgwrBgEEAZIICQLWdgEEBQwDeXVtMCIG
DSsGAQQBkggJAtZ2AQEEEQwPYXdlc29tZW9zLXBwYzY0MCIGDSsGAQQBkggJAtZ2
AQIEEQwPYXdlc29tZW9zLXBwYzY0MBoGDSsGAQQBkggJAtZ2AQUECQwHUmVkIEhh
dDArBg0rBgEEAZIICQLWdgEGBBoMGC9wYXRoL3RvL2F3ZXNvbWVvcy9wcGM2NDAq
Bg0rBgEEAZIICQLWdgEHBBkMFy9wYXRoL3RvL2F3ZXNvbWVvcy9ncGcvMBQGDSsG
AQQBkggJAtZ2AQgEAwwBMDAXBg0rBgEEAZIICQLWdgEJBAYMBDM2MDAwFQYMKwYB
BAGSCAkC1mkBBAUMA3l1bTAcBg0rBgEEAZIICQLWaQEBBAsMCWF3ZXNvbWVvczAc
Bg0rBgEEAZIICQLWaQECBAsMCWF3ZXNvbWVvczAaBg0rBgEEAZIICQLWaQEFBAkM
B1JlZCBIYXQwJQYNKwYBBAGSCAkC1mkBBgQUDBIvcGF0aC90by9hd2Vzb21lb3Mw
KgYNKwYBBAGSCAkC1mkBBwQZDBcvcGF0aC90by9hd2Vzb21lb3MvZ3BnLzAUBg0r
BgEEAZIICQLWaQEIBAMMATEwFwYNKwYBBAGSCAkC1mkBCQQGDAQzNjAwMBQGCysG
AQQBkggJAgABBAUMA3l1bTAnBgwrBgEEAZIICQIAAQEEFwwVbmV2ZXItZW5hYmxl
ZC1jb250ZW50MCcGDCsGAQQBkggJAgABAgQXDBVuZXZlci1lbmFibGVkLWNvbnRl
bnQwHQYMKwYBBAGSCAkCAAEFBA0MC3Rlc3QtdmVuZG9yMCEGDCsGAQQBkggJAgAB
BgQRDA8vZm9vL3BhdGgvbmV2ZXIwJQYMKwYBBAGSCAkCAAEHBBUMEy9mb28vcGF0
aC9uZXZlci9ncGcwEwYMKwYBBAGSCAkCAAEIBAMMATAwFQYMKwYBBAGSCAkCAAEJ
BAUMAzYwMDAUBgsrBgEEAZIICQIBAQQFDAN5dW0wKAYMKwYBBAGSCAkCAQEBBBgM
FmFsd2F5cy1lbmFibGVkLWNvbnRlbnQwKAYMKwYBBAGSCAkCAQECBBgMFmFsd2F5
cy1lbmFibGVkLWNvbnRlbnQwHQYMKwYBBAGSCAkCAQEFBA0MC3Rlc3QtdmVuZG9y
MCIGDCsGAQQBkggJAgEBBgQSDBAvZm9vL3BhdGgvYWx3YXlzMCYGDCsGAQQBkggJ
AgEBBwQWDBQvZm9vL3BhdGgvYWx3YXlzL2dwZzATBgwrBgEEAZIICQIBAQgEAwwB
MTAVBgwrBgEEAZIICQIBAQkEBQwDMjAwMEcGCisGAQQBkggJBAEEOQw3QXdlc29t
ZSBPUyBCdW5kbGUgZm9yIEEgY29uZmxpY3RpbmcgQXJjaCAoWDg2XzY0L3BwYzY0
KTAwBgorBgEEAZIICQQCBCIMIDhhOTBmOGM2MzIxZDQ1YWMwMTMyMWQ0NzMxYjgw
MjJmMCUGCisGAQQBkggJBAMEFwwVYXdlc29tZW9zLWJuZC1YNjQtcDY0MBIGCisG
AQQBkggJBAkEBAwCMTYwJAYKKwYBBAGSCAkEBgQWDBQyMDExLTA3LTI5VDA0OjAw
OjAwWjAkBgorBgEEAZIICQQHBBYMFDIwMTItMDktMjhUMDQ6MDA6MDBaMBIGCisG
AQQBkggJBAwEBAwCMzAwEgYKKwYBBAGSCAkECgQEDAI1OTAbBgorBgEEAZIICQQN
BA0MCzEyMzMxMTMxMjMxMBEGCisGAQQBkggJBA4EAwwBMDARBgorBgEEAZIICQQL
BAMMATEwNAYKKwYBBAGSCAkFAQQmDCQ3NTUwODMwNS1hZTk3LTRmYzYtODE4My04
NmVkNjE1MzRhNWQwDQYJKoZIhvcNAQEFBQADgYEAJXwuHmrNTVCrZMBpvV8FBh0n
Us3U745qmh16qxXvyGayPxqNpoHhojU5Xt0NHboo67ab4hHQxCdB1nrt54aKDNS8
8yI/xBMAgQCNKb3wLgXHKafrFtRod5he37vgBS/g770tMPcJoWtyJUhUJQxZmAtZ
Wta4GCgdYkDo8XjLBU0=
-----END CERTIFICATE-----

^^^ NOTICE THAT THIS FILE CONTAINS NO KEY
LET'S TRY TO IMPORT IT...

[root@jsefler-onprem-62server tmp]# subscription-manager import --certificate=/tmp/importEntitlementsDir/8445775706013584472.pem
Successfully imported certificate 8445775706013584472.pem

BANG! THAT SHOULD HAVE BEEN BLOCKED WITH A MESSAGE: 8445775706013584472.pem is not a valid certificate file. Please use a valid certificate.

IF WE CONTINUE ON, YOU'LL SEE THAT THE list --consumed IS EMPTY UNTIL THE KEY IS ACTUALLY PRESENT...

[root@jsefler-onprem-62server tmp]# subscription-manager list --consumed
No Consumed subscription pools to list

^^^^ NO CONSUMED SUBSCRIPTIONS?  BUT WE JUST IMPORTED OUR CERTIFICATE. THIS IS WHY I BELIEVE THE IMPORT FILE IS NOT VALID UNTIL THE IMPORT FILE CONTAINS BOTH THE ENTITLEMENT AND KEY.
NOW LET'S MANUALLY COPY THE KEY INTO PLACE...

[root@jsefler-onprem-62server tmp]# cp /tmp/importEntitlementsDir/8445775706013584472-key.pem /etc/pki/entitlement/
[root@jsefler-onprem-62server tmp]# subscription-manager list --consumed
+-------------------------------------------+
    Consumed Product Subscriptions
+-------------------------------------------+


ProductName:        	Awesome OS for ppc64 Bits
ContractNumber:     	59                       
AccountNumber:      	12331131231              
SerialNumber:       	8445775706013584472      
Active:             	True                     
QuantityUsed:       	1                        
Begins:             	07/29/2011               
Expires:            	09/28/2012               

^^^ SEE, THE KEY REALLY IS NEEDED TO LIST THE CONSUMED ENTITLEMENT AN MAKE THE IMPORT FILE VALID
Comment 1 Bryan Kearney 2011-09-02 17:34:53 UTC 
Fixed in master:

subscription-manager: c735b3aceba60294f9b7288e34a85d93fbad5079
python-rhsm: 2d53024bcb743faaae9ed8578485fb02b1b43e39
Comment 3 Shwetha Kallesh 2011-09-07 07:08:44 UTC 
Moving the bug to verified.

RPM used:
rpm -q subscription-manager
subscription-manager-0.96.8-1.git.18.770d58e.el6.x86_64

Steps to reproduce the same:

subscription-manager import --certificate=/tmp/importEntitlementsDir/7721920600178412967.pem
7721920600178412967.pem is not a valid certificate file. Please use a valid certificate.
Comment 4 errata-xmlrpc 2011-12-06 17:23:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1695.html