Bug 1251561 - ipa vault-add Unknown option: ipavaultpublickey
ipa vault-add Unknown option: ipavaultpublickey
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
: 1253455 1253498 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-07 13:27 EDT by Scott Poore
Modified: 2015-11-19 07:05 EST (History)
5 users (show)

See Also:
Fixed In Version: ipa-4.2.0-5.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:05:09 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2015-08-07 13:27:39 EDT
Description of problem:

Trying to add a vault with --public-key returns an error:

[root@master ~]# I=$(( I += 1 )) ; ipa vault-add myvault$I --public-key="$PUBKEYBLOB"
ipa: ERROR: Unknown option: ipavaultpublickey


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-3.el7.x86_64

How reproducible:
always


Steps to Reproduce:
1.  Install IPA Server
ipa-server-install

2.  Install KRA 
ipa-kra-install

3. Add vault with private key blob (not key file):
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -out public.pem -pubout
PUBKEYBLOB=$(cat public.pem |grep -v '^-----'|tr -d '\n\r')
ipa vault-add myvault --public-key="$PUBKEYBLOB"


Actual results:
ipa: ERROR: Unknown option: ipavaultpublickey

Expected results:
add vault with key blob

Additional info:
Comment 2 Petr Vobornik 2015-08-10 17:14:57 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5195
Comment 5 Scott Poore 2015-08-13 12:43:05 EDT
FYI, I'm also seeing this:

[root@master ~]# ipa vault-add vname --type asymmetric --public-key="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm2Ld6QaroYiTZtclece+iLzjDQh/D01CFWfJK1c3A8gftC+OVyDk1Rrffm3xkj4OOxWCfKgBr3KLX5OXbxaTJ8yBeX/5L/Euky3evbhbD5yETOyepfIEi8AIesQfmaUwfEwQlzBoDJcthLHPRhc5pFNJAq9rSVI2x2k3oORIC+3kvqm4NKaq8tvIjeuMDeHryJlG9o02CQOMUNnpzkr5uUskiId91r7ra+lxzXHthLM32IgUkXwWs1grrA0nVFkFPIJ8655JlKYTW11NfHeUrV9ITvxYI9DcYAF/ZcWvSF8TUisu0oOoxjXRIP4L3slEGSC37nNs0Swb/xl1zVgOrwIDAQAB"
ipa: ERROR: non-public: UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 129, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 674, in forward
    self.api.Command.vault_archive(*args, **opts)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 999, in forward
    public_key = vault['ipavaultpublickey'][0].encode('utf-8')
UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte
ipa: ERROR: an internal error has occurred


From /var/log/httpd/error_log:

[Thu Aug 13 11:40:43.336940 2015] [:error] [pid 16042] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: vault_add_internal(u'vname', ipavaulttype=u'asymmetric', ipavaultpublickey='0\\x82\\x01"0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x82\\x01\\x0f\\x000\\x82\\x01\\n\\x02\\x82\\x01\\x01\\x00\\x9bb\\xdd\\xe9\\x06\\xab\\xa1\\x88\\x93f\\xd7%y\\xc7\\xbe\\x88\\xbc\\xe3\\r\\x08\\x7f\\x0fMB\\x15g\\xc9+W7\\x03\\xc8\\x1f\\xb4/\\x8eW \\xe4\\xd5\\x1a\\xdf~m\\xf1\\x92>\\x0e;\\x15\\x82|\\xa8\\x01\\xafr\\x8b_\\x93\\x97o\\x16\\x93\\'\\xcc\\x81y\\x7f\\xf9/\\xf1.\\x93-\\xde\\xbd\\xb8[\\x0f\\x9c\\x84L\\xec\\x9e\\xa5\\xf2\\x04\\x8b\\xc0\\x08z\\xc4\\x1f\\x99\\xa50|L\\x10\\x970h\\x0c\\x97-\\x84\\xb1\\xcfF\\x179\\xa4SI\\x02\\xafkIR6\\xc7i7\\xa0\\xe4H\\x0b\\xed\\xe4\\xbe\\xa9\\xb84\\xa6\\xaa\\xf2\\xdb\\xc8\\x8d\\xeb\\x8c\\r\\xe1\\xeb\\xc8\\x99F\\xf6\\x8d6\\t\\x03\\x8cP\\xd9\\xe9\\xceJ\\xf9\\xb9K$\\x88\\x87}\\xd6\\xbe\\xebk\\xe9q\\xcdq\\xed\\x84\\xb37\\xd8\\x88\\x14\\x91|\\x16\\xb3X+\\xac\\r\\'TY\\x05<\\x82|\\xeb\\x9eI\\x94\\xa6\\x13[]M|w\\x94\\xad_HN\\xfcX#\\xd0\\xdc`\\x01\\x7fe\\xc5\\xafH_\\x13R+.\\xd2\\x83\\xa8\\xc65\\xd1 \\xfe\\x0b\\xde\\xc9D\\x19 \\xb7\\xeesl\\xd1,\\x1b\\xff\\x19u\\xcdX\\x0e\\xaf\\x02\\x03\\x01\\x00\\x01', shared=False, all=False, raw=False, version=u'2.148', no_members=False): SUCCESS


And this is the version of IPA:

ipa-server-4.2.0-4.el7.x86_64
Comment 6 Scott Poore 2015-08-13 17:06:29 EDT
FYI:

[root@master ~]# ipa vault-add --type=symmetric vname_symmetric --public-key="$(cat public.pem |grep -v -- "----"|tr -d '[\n\r]')"
New password: 
Verify password: 
ipa: ERROR: Unknown option: ipavaultpublickey
Comment 7 Petr Vobornik 2015-08-14 04:01:01 EDT
The issue in comment 5 is bug 1251561. 

Comment 6 will be also fixed with patch in comment 3.
Comment 8 Petr Vobornik 2015-08-14 04:03:32 EDT
Sorry, in comment 7 I meant bug 1245225
Comment 9 Petr Vobornik 2015-08-14 04:07:21 EDT
*** Bug 1253498 has been marked as a duplicate of this bug. ***
Comment 10 Petr Vobornik 2015-08-14 04:14:41 EDT
Note that the fix validates that:
- options password and password-file can be used only with symmetric vault
- options public-key and public-key-file can be used only with asymmetric vault

I.e. the the "unknown option" error appeared because the usage was not correct. Therefore expected result from comment one is:

"validation error is displayed".
Comment 12 Scott Poore 2015-08-20 18:36:13 EDT
Verified

Version :;

ipa-server-4.2.0-5.el7.x86_64

Results ::

[root@rhel7-8 yum.repos.d]# ipa-kra-install
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/7]: configuring KRA instance
  [2/7]: add RA user to KRA agent group
  [3/7]: restarting KRA
  [4/7]: configure certmonger for renewals
  [5/7]: configure certificate renewals
  [6/7]: configure HTTP to proxy connections
  [7/7]: add vault container
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful
[root@rhel7-8 yum.repos.d]# openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
...........+++
................................+++
e is 65537 (0x10001)
[root@rhel7-8 yum.repos.d]# openssl rsa -in private.pem -out public.pem -pubout
writing RSA key
[root@rhel7-8 yum.repos.d]# PUBKEYBLOB=$(cat public.pem |base64)
[root@rhel7-8 yum.repos.d]# ipa vault-add myvault --type=asymmetric --public-key="$PUBKEYBLOB"
---------------------
Added vault "myvault"
---------------------
  Vault name: myvault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyUmx6ZHpMdTFpeEUzQ2dGUGFnYQpnUGxZby9Vc3c0OE1ZbCtwR2hNTm9OOWUrRE4yTFVhd2NMY294R283NmU2TVYxc3ZFWStydDZpck84ZWFVTXpwCmdzNHpqd1RkdFBkTEZxaHR4Wm1wTjVrRDBqWnpNTlVpQVdMV1UwSE5FendvK2lEczI1NHgvUGlxd3J5ZlhGNVIKbEZIQ3MvNHB3eHNXUzNNU0h2emU0T050bDl5eU1vWS83VzNvZnZwNmtVUloxSzk5MzZobFprci8yZ090WVdiZwpJbm4vZ2tXQVRJNXliVnovRVk5dFBEaFFURThXMkpxZHB6TkVmOFpUeExVM3N4NjJKeHM5YWVpdUp6OGh5Q25oCm9meWEzdmhZVGQ1ZCtkRlM5UGxvcmdSZzNqcVRLRUl1Z29GSTZYeXN5a2NuVGRubHVqeEh3d01nd3VsWVVreFgKOVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin
  Vault user: admin

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --public-key="$PUBKEYBLOB"
ipa: ERROR: Public key can be specified only for asymmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --type=symmetric --public-key="$PUBKEYBLOB"
ipa: ERROR: Public key can be specified only for asymmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --type=standard --public-key="$PUBKEYBLOB"
ipa: ERROR: Public key can be specified only for asymmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --type=asymmetric --password="test"
ipa: ERROR: Password can be specified only for symmetric vault

[root@rhel7-8 yum.repos.d]# echo test > /tmp/password_file

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --type=asymmetric --password-file=/tmp/password_file 
ipa: ERROR: Password can be specified only for symmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --password-file=/tmp/password_file ipa: ERROR: Password can be specified only for symmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --password=passworde 
ipa: ERROR: Password can be specified only for symmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add vname --type asymmetric --public-key="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArRlzdzLu1ixE3CgFPagagPlYo/Usw48MYl+pGhMNoN9e+DN2LUawcLcoxGo76e6MV1svEY+rt6irO8eaUMzpgs4zjwTdtPdLFqhtxZmpN5kD0jZzMNUiAWLWU0HNEzwo+iDs254x/PiqwryfXF5RlFHCs/4pwxsWS3MSHvze4ONtl9yyMoY/7W3ofvp6kURZ1K9936hlZkr/2gOtYWbgInn/gkWATI5ybVz/EY9tPDhQTE8W2JqdpzNEf8ZTxLU3sx62Jxs9aeiuJz8hyCnhofya3vhYTd5d+dFS9PlorgRg3jqTKEIugoFI6XysykcnTdnlujxHwwMgwulYUkxX9QIDAQAB"
ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data.
Comment 13 Petr Vobornik 2015-09-01 10:06:04 EDT
*** Bug 1253455 has been marked as a duplicate of this bug. ***
Comment 14 errata-xmlrpc 2015-11-19 07:05:09 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.