Bug 796295

Summary: cannot decode Basic Constraints
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: python-nssAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: dcantrell, dpal, jdennis, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-nss-0.13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 796293 Environment:
Last Closed: 2013-02-21 10:11:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 796293    
Bug Blocks: 747991, 791327    

Description Rob Crittenden 2012-02-22 16:12:46 UTC 
+++ This bug was initially created as a clone of Bug #796293 +++

Description of problem:

I have a CA cert and I'm trying to pick out its constraints and parsing it is failing in python-nss with:

$ python ~rcrit/python_nss/doc/examples/cert_dump.py /etc/ipa/ca.crt
Traceback (most recent call last):
  File "/home/rcrit/cert_dump.py", line 183, in <module>
    print_extension(2, extension)
  File "/home/rcrit/cert_dump.py", line 101, in print_extension
    bc = nss.BasicConstraints(extension.value)
nss.error.NSPRError: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.: 'cannot decode Basic Constraints'

Version-Release number of selected component (if applicable):

python-nss-0.12-1.fc16.x86_64

--- Additional comment from rcritten on 2012-02-22 11:08:09 EST ---

Created attachment 565031 [details]
The failing CA PEM file
Comment 1 Rob Crittenden 2012-02-22 16:13:14 UTC 
Fails differently in RHEL 6.2, may be due to older version in RHEL.

$ python cert_dump.py /etc/ipa/ca.crt 
certificate filename=/etc/ipa/ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm:
Traceback (most recent call last):
  File "cert_dump.py", line 171, in <module>
    print nss.indented_format(cert.signature_algorithm.format_lines(3))
AttributeError: 'nss.nss.SignatureAlgorithm' object has no attribute 'format_lines'
Comment 2 John Dennis 2012-02-23 18:38:01 UTC 
The format specifier for PyArg_ParseTupleAndKeywords in BasicConstraints_init()
was wrong, instead of "O|i" it should have been "O!", looks like it was a
cut-n-paste bug.

<     if (!PyArg_ParseTupleAndKeywords(args, kwds, "O|i:BasicConstraints",
kwlist,
---
>     if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!:BasicConstraints", kwlist,


As for SignatureAlgorithm not having a format_lines method, that's due to version skew between the example code and the library, that was a change between 0.11 and 0.12, RHEL6 is still back at 0.11. That difference will not affect your use of 
BasicConstaints.
Comment 8 errata-xmlrpc 2013-02-21 10:11:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0405.html