2023229 – CSR with 'BEGIN NEW CERTIFICATE REQUEST' no longer accepted

Bug 2023229 - CSR with 'BEGIN NEW CERTIFICATE REQUEST' no longer accepted

Summary: CSR with 'BEGIN NEW CERTIFICATE REQUEST' no longer accepted

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	python-cryptography
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Jeremy Cline
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2025347
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-15 09:27 UTC by Florence Blanc-Renaud
Modified:	2021-11-23 10:06 UTC (History)
CC List:	5 users (show)
Fixed In Version:	python-cryptography-36.0.0-1.fc36
Clone Of:
Environment:
Last Closed:	2021-11-23 10:06:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7332	0	None	None	None	2021-11-15 09:37:26 UTC

Description Florence Blanc-Renaud 2021-11-15 09:27:32 UTC

Description of problem:
With the update to python-cryptography 35, CSRs containing the header 'BEGIN NEW CERTIFICATE REQUEST' are no longer accepted.
As a consequence, the tests for IPA server installation with an externally-signed CA fail.

The issue already has an upstream fix (https://github.com/pyca/cryptography/pull/6356) but rawhide doesn't ship the fix yet.

Version-Release number of selected component (if applicable):
python3-cryptography-35.0.0-2.fc36.x86_64

How reproducible:
Always

Steps to Reproduce:
Run IPA upstream test "fedora-rawhide/external_ca_TestMultipleExternalCA". The test scenario is equivalent to the following:
1. dnf install -y freeipa-server
2. ipa-server-install --domain ipa.test --realm IPA.TEST -a Secret123 -p Secret123 --external-ca -U
This command produces /root/ipa.csr which contains a header "-----BEGIN NEW CERTIFICATE REQUEST-----"
3. Use a python script loading the CSR:

from cryptography import x509
from cryptography.hazmat.backends import default_backend
ipa_csr = open("/root/ipa.csr", "rb")
csr_tbs = x509.load_pem_x509_csr(ipa_csr.read(), default_backend())

Actual results:

The script fails with
ValueError: Valid PEM but no BEGIN CERTIFICATE REQUEST/END CERTIFICATE REQUEST delimiters. Are you sure this is a CSR?

Expected results:
The CSR should be loaded without any issue.

Additional info:
Upstream patch in https://github.com/pyca/cryptography/pull/6356
Upstream issue https://github.com/pyca/cryptography/issues/6340

Comment 1 Christian Heimes 2021-11-15 09:54:49 UTC

Do you need a new build urgently? python-cryptography 36.0.0 will be released soonish.

I also recommend that you fix FreeIPA's toolchain. "BEGIN CERTIFICATE REQUEST" is a non-standard legacy label that should not be used, https://datatracker.ietf.org/doc/html/rfc7468#appendix-A

Comment 2 Florence Blanc-Renaud 2021-11-15 14:39:17 UTC

No need for an urgent build, I mainly opened this BZ to make sure this issue doesn't fall through the cracks.

certmonger is tracking the issue in https://pagure.io/certmonger/issue/228
pki is tracking the issue in https://github.com/dogtagpki/pki/issues/3843

Comment 3 Fedora Update System 2021-11-23 10:06:32 UTC

FEDORA-2021-b27ebacc47 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.