Bug 1371479 - cert-find --all does not show information about revocation
Summary: cert-find --all does not show information about revocation
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa   
(Show other bugs)
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Ganna Kaihorodova
Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords: ZStream
Depends On:
Blocks: 1389252
TreeView+ depends on / blocked
 
Reported: 2016-08-30 10:04 UTC by Martin Bašti
Modified: 2017-08-01 09:39 UTC (History)
13 users (show)

Fixed In Version: ipa-4.4.0-13.el7
Doc Type: Known Issue
Doc Text:
The IdM web UI does not correctly recognize the status of a revoked certificate The Identity Management (IdM) web UI is currently unable to determine whether a certificate has been revoked. As a consequence: * The `Revoked` sign is not displayed when viewing the certificate from the user, service, or host details page. * The `Revoke` action is still available from the details page. Attempting to revoke an already revoked certificate results in an error dialog. * The `Remove Hold` button is always disabled even if the certificate has been revoked because of Certificate Hold (revocation reason 6).
Story Points: ---
Clone Of:
: 1389252 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:39:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Verification for bug "cert-find --all does not show information about revocation" (9.76 KB, text/plain)
2017-05-17 13:45 UTC, Ganna Kaihorodova
no flags Details
verification screenshot for webUI part of the bug (124.98 KB, image/png)
2017-05-17 13:48 UTC, Ganna Kaihorodova
no flags Details
verification screenshot #2 for webUI part of the bug (128.49 KB, image/png)
2017-05-17 13:49 UTC, Ganna Kaihorodova
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Martin Bašti 2016-08-30 10:04:01 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6269

Version: 4.4.0.201608262125GITfbc9179

Cert-find with --all option stopped to show information whether certificate is revoked and the reason of revocation. Affects CLI and API. 

These information are needed to correctly disable and enable Revoke and Remove Hold buttons on user/service/host details pages in WebUI.

Comment 1 Martin Bašti 2016-08-30 10:05:10 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/22d5f579bbd8bb452cf1bf620294ab6ade6e7c47

Comment 5 Scott Poore 2016-09-16 16:47:44 UTC
I see revoked but, I don't see a reason.

This user was revoked with reason 6 (certificateHold)

[root@master ~]# ipa cert-find --all --subject="certuser6"
---------------------
1 certificate matched
---------------------
  Certificate: MIID+zCCAuOgAwIBAgIBITANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkxNjE2MzQ0MFoXDTE4MDkxNzE2MzQ0MFowJzERMA8GA1UECgwISVBBLlRFU1QxEjAQBgNVBAMMCWNlcnR1c2VyNjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANP+2OaUy+yY9oHiDI7Y/0vvVbLOoSibqBxKACkioAor60hacKQ6U6FRfkf+RFLk2mZC1sZujQQTV5coZM2iaw6R+EoUSU9iBnzYN28dg4mtANs7LcSI30nC/GKfKBonIJxTSFJzRO9McQsyuOZpASpyTXmK8q3jIHesbt+YIiaFOiHg0lEp8YwC9BXDfpsddPHUGSpKTmahfsA+SnmfAHvMPB9By4qG+l+mFIKhoc7A4GC+bagY0gInJypVixyGHaFHAISj6EmcoNA+Jt9s+7AVlhVOLNWwiX/kBtHBTHjHZ7MnQSSFHJetO5a6qxgT1WozMnB++ol+MyTeUx6NE2kCAwEAAaOCASQwggEgMB8GA1UdIwQYMBaAFHd7AWUYXj4zbNHmYYZgzTb1jQu8MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYsaHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFGG94ybYfpzIfsdKmNbkS2MGUdF9MA0GCSqGSIb3DQEBCwUAA4IBAQBdXvmzwChyPlksQXH8VSkqXLEILgqcoa+ntqFyO+wWbgBr/Uf6lcC+f17RuGyahDMr7WfbwHi4tZZxk8UkUwdC3uyaFom1Zvshjkdm3D5RTfFfZAulX2TbzNQnsfR5q51TuYYpvqz5Ed7e9AnHRvMd36Qkog21VGFmoC13TIvD6SzhCtCnFUUR/HViUeSuUlBipV7CVBqfsYGQvDvQd9cOGwesmsq0kIYF++edYzN/pOV5tW9QR6gNEu9jbup3xm9kZyElCb/WGsV5ugtyAEGyCq7Ny6EI4VLtSB0AEb8tvBGuZj2hnEQ+lCR40X+QINkAelZ7rWmjwAEoZalaFUdL
  Subject: CN=certuser6,O=IPA.TEST
  Issuer: CN=Certificate Authority,O=IPA.TEST
  Not Before: Fri Sep 16 16:34:40 2016 UTC
  Not After: Mon Sep 17 16:34:40 2018 UTC
  Fingerprint (MD5): 54:99:de:e6:ae:ad:17:fc:0f:e2:98:d9:f2:8a:70:f4
  Fingerprint (SHA1): 61:41:b9:01:57:e2:d4:7c:f5:bd:af:1d:12:06:b1:9c:83:d1:85:8b
  Serial number: 33
  Serial number (hex): 0x21
  Status: REVOKED
  Revoked: True
  Owner user: certuser6
----------------------------
Number of entries returned 1
----------------------------


I can remove the hold:

[root@master ~]#  ipa cert-remove-hold 33
  Unrevoked: True


But I cannot tell from cert-find what the reason is.  From the initial bug description that should be added as well, right?

Comment 6 Scott Poore 2016-09-19 13:30:20 UTC
Petr,

Can you help with this?  This should be showing the reason too right?

Thanks,
Scott

Comment 7 Petr Vobornik 2016-09-19 15:01:13 UTC
Pavel, the original bug description talks about revocation reason, but the fix doesn't touch it. Was this bug about it?

Comment 8 Pavel Vomacka 2016-09-19 15:05:22 UTC
Yes, it was about the information whether bug is revoked and if it is then what is the reason. The revocation reason is needed.

Comment 9 Scott Poore 2016-09-19 18:33:54 UTC
Moving back to assigned since it does look like revocation reason should be listed.

Comment 22 Ganna Kaihorodova 2017-05-17 13:45 UTC
Created attachment 1279694 [details]
Verification for bug "cert-find --all does not show information about revocation"

Comment 23 Ganna Kaihorodova 2017-05-17 13:48 UTC
Created attachment 1279695 [details]
verification screenshot for webUI part of the bug

Comment 24 Ganna Kaihorodova 2017-05-17 13:49 UTC
Created attachment 1279696 [details]
verification screenshot #2 for webUI part of the bug

Comment 25 errata-xmlrpc 2017-08-01 09:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.