Bug 658641 - pkisilent doesn't not properly handle passwords with special characters
Summary: pkisilent doesn't not properly handle passwords with special characters
Keywords:
Status: CLOSED EOL
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Installation Wizard
Version: 1.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: dogtagIPAv2
TreeView+ depends on / blocked
 
Reported: 2010-11-30 21:36 UTC by Rob Crittenden
Modified: 2020-03-27 18:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-27 18:40:31 UTC
Embargoed:


Attachments (Terms of Use)

Description Rob Crittenden 2010-11-30 21:36:04 UTC
Description of problem:

Installing dogtag from IPA server using the password (pas&w`rd)

The pkisilent invocation is:

/usr/bin/pkisilent ConfigureCA -cs_hostname lion.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-DD2OtV -client_certdb_pwd '(pas&w`rd)' -preop_pin sM7N05JbzO0hYV8o4Uok -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '(pas&w`rd)' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=EXAMPLE.COM" -ldap_host lion.example.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password '(pas&w`rd)' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '(pas&w`rd)' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=EXAMPLE.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=EXAMPLE.COM" -ca_server_cert_subject_name "CN=lion.example.com,O=EXAMPLE.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=EXAMPLE.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=EXAMPLE.COM" -external false -clone false

While reviewing the logs I saw this:

<response>
  <panel>admin/console/config/importadmincertpanel.vm</panel>
  <res/>
  <showApplyButton/>
  <admin_pwd>(pas</admin_pwd>
...

Which led me to see if the password really did get cut off:

$ ldapsearch -LLL -x -D 'uid=admin,ou=people,o=ipaca' -w '(pas&w`rd)' -h localhost -p 7389 -b o=ipaca uid=admin uid
ldap_bind: Invalid credentials (49)

and with a truncated password:

$ ldapsearch -LLL -x -D 'uid=admin,ou=people,o=ipaca' -w '(pas' -h localhost -p 7389 -b o=ipaca uid=admin uid
dn: uid=admin,ou=people,o=ipaca
uid: admin

Version-Release number of selected component (if applicable):

pki-silent-1.3.4-1.fc12.noarch
pki-ca-1.3.6-1.fc12.noarch

Comment 3 Ade Lee 2011-01-11 21:07:19 UTC
patch is included in the patch for https://bugzilla.redhat.com/show_bug.cgi?id=645895

Comment 4 Ade Lee 2011-01-12 16:07:54 UTC
8.1:

-bash-3.2$ svn ci -m "Bugzilla BZ645895 and 658641: ECC curves and passwords
with special chars"
Sending        silent/src/ca/ConfigureCA.java
Sending        silent/src/drm/ConfigureDRM.java
Sending        silent/src/ocsp/ConfigureOCSP.java
Sending        silent/src/ra/ConfigureRA.java
Sending        silent/src/subca/ConfigureSubCA.java
Sending        silent/src/tks/ConfigureTKS.java
Sending        silent/src/tps/ConfigureTPS.java
Transmitting file data .......
Committed revision 1725.

tip:

[vakwetu@dhcp231-121 silent]$ svn ci -m "Bugzilla BZ645895 and 658641: ECC
curves and passwords with special chars"
Sending        silent/src/ca/ConfigureCA.java
Sending        silent/src/drm/ConfigureDRM.java
Sending        silent/src/ocsp/ConfigureOCSP.java
Sending        silent/src/ra/ConfigureRA.java
Sending        silent/src/subca/ConfigureSubCA.java
Sending        silent/src/tks/ConfigureTKS.java
Sending        silent/src/tps/ConfigureTPS.java
Transmitting file data .......
Committed revision 1726.


Note You need to log in before you can comment on or make changes to this bug.