Bug 1366604 - `cert-find` crashes on invalid certificate data
Summary: `cert-find` crashes on invalid certificate data
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-12 12:35 UTC by Petr Vobornik
Modified: 2016-11-04 06:00 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 06:00:52 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-08-12 12:35:02 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6150

When `cert-find` comes in contact with an invalid certificate data (be it from command line or LDAP), it crashes with internal error:
{{{
$ ipa cert-find --certificate=bougscrt
ipa: ERROR: an internal error has occurred
}}}
{{{
[Mon Aug 01 09:44:26.024346 2016] [wsgi:error] [pid 121350] ipa: ERROR: non-public: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
[Mon Aug 01 09:44:26.024383 2016] [wsgi:error] [pid 121350] Traceback (most recent call last):
[Mon Aug 01 09:44:26.024387 2016] [wsgi:error] [pid 121350]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 352, in wsgi_execute
[Mon Aug 01 09:44:26.024390 2016] [wsgi:error] [pid 121350]     result = self.Command[name](*args, **options)
[Mon Aug 01 09:44:26.024393 2016] [wsgi:error] [pid 121350]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Mon Aug 01 09:44:26.024395 2016] [wsgi:error] [pid 121350]     return self.__do_call(*args, **options)
[Mon Aug 01 09:44:26.024398 2016] [wsgi:error] [pid 121350]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Mon Aug 01 09:44:26.024400 2016] [wsgi:error] [pid 121350]     ret = self.run(*args, **options)
[Mon Aug 01 09:44:26.024403 2016] [wsgi:error] [pid 121350]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Mon Aug 01 09:44:26.024405 2016] [wsgi:error] [pid 121350]     return self.execute(*args, **options)
[Mon Aug 01 09:44:26.024408 2016] [wsgi:error] [pid 121350]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 1145, in execute
[Mon Aug 01 09:44:26.024410 2016] [wsgi:error] [pid 121350]     self.obj._parse(obj)
[Mon Aug 01 09:44:26.024412 2016] [wsgi:error] [pid 121350]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 299, in _parse
[Mon Aug 01 09:44:26.024415 2016] [wsgi:error] [pid 121350]     cert = x509.load_certificate(obj['certificate'])
[Mon Aug 01 09:44:26.024435 2016] [wsgi:error] [pid 121350]   File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in load_certificate
[Mon Aug 01 09:44:26.024439 2016] [wsgi:error] [pid 121350]     return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin
[Mon Aug 01 09:44:26.024441 2016] [wsgi:error] [pid 121350] NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
}}}

Fix the command not to crash on invalid data.

Comment 1 Martin Bašti 2016-08-17 11:48:31 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8ad03259fe770b222e70286fd00c3416b4ed197d

Comment 3 Sudhir Menon 2016-09-16 03:46:47 UTC
Martin/Petr,

I tested this on RHEL73 using ipa-server-4.4.0-11.el7.x86_64
Although i don't see a traceback, i see the below warning message, can you please confirm this is not an issue.

[root@master ~]# ipa cert-find --certificate=bougscrt
ipa: WARNING: Search result has been truncated: failed to load certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.
----------------------
0 certificates matched
----------------------
----------------------------
Number of entries returned 0
----------------------------

[root@master ~]# ipa cert-find
-----------------------
10 certificates matched
-----------------------
  Issuing CA: ipa
  Subject: CN=Certificate Authority,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 1
  Serial number (hex): 0x1
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=OCSP Subsystem,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 2
  Serial number (hex): 0x2
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=master.test-relm.test,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 3
  Serial number (hex): 0x3
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=CA Subsystem,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 4
  Serial number (hex): 0x4
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=CA Audit,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 5
  Serial number (hex): 0x5
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=ipa-ca-agent,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 6
  Serial number (hex): 0x6
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=IPA RA,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 7
  Serial number (hex): 0x7
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=master.test-relm.test,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 8
  Serial number (hex): 0x8
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=master.test-relm.test,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 9
  Serial number (hex): 0x9
  Status: VALID
  Revoked: False

  Issuing CA: ipa
  Subject: CN=Object Signing Cert,O=TEST-RELM.TEST
  Issuer: CN=Certificate Authority,O=TEST-RELM.TEST
  Serial number: 10
  Serial number (hex): 0xA
  Status: VALID
  Revoked: False
-----------------------------
Number of entries returned 10
-----------------------------

Comment 4 Martin Bašti 2016-09-16 07:25:25 UTC
The warning message is expected

Comment 6 errata-xmlrpc 2016-11-04 06:00:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.