Bug 1371479 – cert-find --all does not show information about revocation

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1371479 - cert-find --all does not show information about revocation

Summary:	cert-find --all does not show information about revocation

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	Unspecified Unspecified

Priority	high Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Ganna Kaihorodova
Docs Contact:	Aneta Šteflová Petrová

URL:
Whiteboard:
Keywords:	ZStream

Depends On:
Blocks:	1389252
	Show dependency tree / graph

Reported:	2016-08-30 06:04 EDT by Martin Bašti
Modified:	2017-08-01 05:39 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	ipa-4.4.0-13.el7
Doc Type:	Known Issue
Doc Text:	The IdM web UI does not correctly recognize the status of a revoked certificate The Identity Management (IdM) web UI is currently unable to determine whether a certificate has been revoked. As a consequence: * The `Revoked` sign is not displayed when viewing the certificate from the user, service, or host details page. * The `Revoke` action is still available from the details page. Attempting to revoke an already revoked certificate results in an error dialog. * The `Remove Hold` button is always disabled even if the certificate has been revoked because of Certificate Hold (revocation reason 6).
Story Points:	---
Clone Of:
Clones:	1389252 (view as bug list)
Environment:
Last Closed:	2017-08-01 05:39:54 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Verification for bug "cert-find --all does not show information about revocation" (9.76 KB, text/plain) 2017-05-17 09:45 EDT, Ganna Kaihorodova	no flags	Details
verification screenshot for webUI part of the bug (124.98 KB, image/png) 2017-05-17 09:48 EDT, Ganna Kaihorodova	no flags	Details
verification screenshot #2 for webUI part of the bug (128.49 KB, image/png) 2017-05-17 09:49 EDT, Ganna Kaihorodova	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 08:41:35 EDT

Groups: None (edit)

Description Martin Bašti 2016-08-30 06:04:01 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6269

Version: 4.4.0.201608262125GITfbc9179

Cert-find with --all option stopped to show information whether certificate is revoked and the reason of revocation. Affects CLI and API. 

These information are needed to correctly disable and enable Revoke and Remove Hold buttons on user/service/host details pages in WebUI.

Comment 1 Martin Bašti 2016-08-30 06:05:10 EDT

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/22d5f579bbd8bb452cf1bf620294ab6ade6e7c47

Comment 5 Scott Poore 2016-09-16 12:47:44 EDT

I see revoked but, I don't see a reason.

This user was revoked with reason 6 (certificateHold)

[root@master ~]# ipa cert-find --all --subject="certuser6"
---------------------
1 certificate matched
---------------------
  Certificate: MIID+zCCAuOgAwIBAgIBITANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkxNjE2MzQ0MFoXDTE4MDkxNzE2MzQ0MFowJzERMA8GA1UECgwISVBBLlRFU1QxEjAQBgNVBAMMCWNlcnR1c2VyNjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANP+2OaUy+yY9oHiDI7Y/0vvVbLOoSibqBxKACkioAor60hacKQ6U6FRfkf+RFLk2mZC1sZujQQTV5coZM2iaw6R+EoUSU9iBnzYN28dg4mtANs7LcSI30nC/GKfKBonIJxTSFJzRO9McQsyuOZpASpyTXmK8q3jIHesbt+YIiaFOiHg0lEp8YwC9BXDfpsddPHUGSpKTmahfsA+SnmfAHvMPB9By4qG+l+mFIKhoc7A4GC+bagY0gInJypVixyGHaFHAISj6EmcoNA+Jt9s+7AVlhVOLNWwiX/kBtHBTHjHZ7MnQSSFHJetO5a6qxgT1WozMnB++ol+MyTeUx6NE2kCAwEAAaOCASQwggEgMB8GA1UdIwQYMBaAFHd7AWUYXj4zbNHmYYZgzTb1jQu8MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYsaHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFGG94ybYfpzIfsdKmNbkS2MGUdF9MA0GCSqGSIb3DQEBCwUAA4IBAQBdXvmzwChyPlksQXH8VSkqXLEILgqcoa+ntqFyO+wWbgBr/Uf6lcC+f17RuGyahDMr7WfbwHi4tZZxk8UkUwdC3uyaFom1Zvshjkdm3D5RTfFfZAulX2TbzNQnsfR5q51TuYYpvqz5Ed7e9AnHRvMd36Qkog21VGFmoC13TIvD6SzhCtCnFUUR/HViUeSuUlBipV7CVBqfsYGQvDvQd9cOGwesmsq0kIYF++edYzN/pOV5tW9QR6gNEu9jbup3xm9kZyElCb/WGsV5ugtyAEGyCq7Ny6EI4VLtSB0AEb8tvBGuZj2hnEQ+lCR40X+QINkAelZ7rWmjwAEoZalaFUdL
  Subject: CN=certuser6,O=IPA.TEST
  Issuer: CN=Certificate Authority,O=IPA.TEST
  Not Before: Fri Sep 16 16:34:40 2016 UTC
  Not After: Mon Sep 17 16:34:40 2018 UTC
  Fingerprint (MD5): 54:99:de:e6:ae:ad:17:fc:0f:e2:98:d9:f2:8a:70:f4
  Fingerprint (SHA1): 61:41:b9:01:57:e2:d4:7c:f5:bd:af:1d:12:06:b1:9c:83:d1:85:8b
  Serial number: 33
  Serial number (hex): 0x21
  Status: REVOKED
  Revoked: True
  Owner user: certuser6
----------------------------
Number of entries returned 1
----------------------------


I can remove the hold:

[root@master ~]#  ipa cert-remove-hold 33
  Unrevoked: True


But I cannot tell from cert-find what the reason is.  From the initial bug description that should be added as well, right?

Comment 6 Scott Poore 2016-09-19 09:30:20 EDT

Petr,

Can you help with this?  This should be showing the reason too right?

Thanks,
Scott

Comment 7 Petr Vobornik 2016-09-19 11:01:13 EDT

Pavel, the original bug description talks about revocation reason, but the fix doesn't touch it. Was this bug about it?

Comment 8 Pavel Vomacka 2016-09-19 11:05:22 EDT

Yes, it was about the information whether bug is revoked and if it is then what is the reason. The revocation reason is needed.

Comment 9 Scott Poore 2016-09-19 14:33:54 EDT

Moving back to assigned since it does look like revocation reason should be listed.

Comment 17 Martin Bašti 2016-10-13 15:05:28 EDT

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/16dad1c3cb09acee946bc5b2409447279a8bc0de
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/30b478113e0dd7993f491c1582003567e9b20d13

Comment 22 Ganna Kaihorodova 2017-05-17 09:45 EDT

Created attachment 1279694 [details]
Verification for bug "cert-find --all does not show information about revocation"

Comment 23 Ganna Kaihorodova 2017-05-17 09:48 EDT

Created attachment 1279695 [details]
verification screenshot for webUI part of the bug

Comment 24 Ganna Kaihorodova 2017-05-17 09:49 EDT

Created attachment 1279696 [details]
verification screenshot #2 for webUI part of the bug

Comment 25 errata-xmlrpc 2017-08-01 05:39:54 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.