Bug 712889 - Internal Error: ipa cert-remove-hold ; revocation reason 7
Summary: Internal Error: ipa cert-remove-hold ; revocation reason 7
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-13 13:45 UTC by Jenny Severance
Modified: 2015-01-04 23:49 UTC (History)
4 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: A request to set a certificate revocation reason to 7 would cause the request to fail. Consequence: The certificate was not revoked. Fix: Reason 7 is not a valid revocation reason according to RFC 5280. Result: An error message is returned to the user.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:33:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 0 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-06-13 13:45:41 UTC 
Description of problem:

---------------------------------------------------------------
Added service "service_27444/dhcp-100-19-202.testrelm@TESTRELM"
---------------------------------------------------------------
  Principal: service_27444/dhcp-100-19-202.testrelm@TESTRELM
  Managed by: dhcp-100-19-202.testrelm
:: [   PASS   ] :: add service: [service_27444/dhcp-100-19-202.testrelm]
:: [09:39:19] ::  create cert request file [/tmp/tmp.cAcrn27OS8/certreq.25032.csr]
spawn openssl req -out /tmp/tmp.cAcrn27OS8/certreq.25032.csr -new -newkey rsa:2048 -nodes -keyout /tmp/tmp.cAcrn27OS8/certprikey.20208.key
Generating a 2048 bit RSA private key
.+++
...................................+++
writing new private key to '/tmp/tmp.cAcrn27OS8/certprikey.20208.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:Mountain View
Organization Name (eg, company) [Default Company Ltd]:IPA
Organizational Unit Name (eg, section) []:QA
Common Name (eg, your name or your server's hostname) []:dhcp-100-19-202.testrelm
Email Address []:ipaqa@redhat.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
:: [09:39:25] ::  cert file creation success, continue
:: [   PASS   ] :: create cert success, cert id :[21], principal [service_27444/dhcp-100-19-202.testrelm]
:: [   PASS   ] :: clear kerberos tkts
ipa: ERROR: an internal error has occurred
:: [   FAIL   ] :: set revoke reason to [7], cert should not be able to reuse (Expected 0, got 1)
:: [   FAIL   ] :: revoke reason expected to be [7], actual [], test can not continue 
  Unrevoked: False
  Error: One or more certificates could not be unrevoked
:: [   PASS   ] :: cert-remove-hold always return 0(succes),we need more test to confirm remove hold fails
:: [   FAIL   ] :: revocation reason not found in cert-show, test failed 
  Certificate: MIIDeDCCAmCgAwIBAgIBFTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKEwhURVNU
UkVMTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDYxMzEz
MzkyN1oXDTExMTIxMDEzMzkyN1owNjERMA8GA1UEChMIVEVTVFJFTE0xITAfBgNV
BAMTGGRoY3AtMTAwLTE5LTIwMi50ZXN0cmVsbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALX11HmtNOjMFQcykdDnDbMv54oWVSTaG2/kweOCqn/Uh2kq
Hg8JPmIhzOPLMDg7J/Y/auSeNkLi4ebbuW2N2Njw+T/dj/FjdI/nXX7yEPMdWM1M
Cz9hPhlTfy3gAiohFN5qmFfMu2GbYE7t057cgKR7pHnl7ncIpRG00ld6HzLY1GEW
iUKsDcpR3hMttqIAN9nrcnmfJWrr9tCflH7+buN6asUTfWnBjmdq9+z0anaYoW3P
Fz2oxR12ZEaQ9H/5wGQn5eZj/vu7deHnlR+p0EPAnQ5rTB+bJyAYUk08q/K8DOZN
BJH01ZvYzPlD9Sq6o+iDg2ccnTbPOdqYekE+j2UCAwEAAaOBkzCBkDAfBgNVHSME
GDAWgBQ5jd9B79skhkfZZRsQ+312iQj93jBIBggrBgEFBQcBAQQ8MDowOAYIKwYB
BQUHMAGGLGh0dHA6Ly9kaGNwLTEwMC0xOS0yMDIudGVzdHJlbG06OTE4MC9jYS9v
Y3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG
9w0BAQsFAAOCAQEAjPXel56efTu/vlW5L8hp0oTO+aP3tMkt1G9PLtg0MOpY5yxB
7JHzq72l6woQe/WtGvjehOF5rmoAZZX2akU21yLCAgC5y9Di7LxtnhChGKUXERv/
mAshmmedUl2u9mQ3ogHDFiQKd5aeppNWedGrwz6ugMRoAmwonfz9UkmugwfM2REU
KFZpLxQ/bC19IyydSmROgj3VrOTWxsFfxB5QxD3FgoYOG0TLPrboc9S6Oj+mBUBL
oQfHMbhFuHmRjZz4C10rPvEMLxbR0WQeiMZTogG9fWA0N7f9/xttX8qlnxm/IfBg
LSBeanlsKH7Qif98qdiwrCdI+4AWGXEeZ9p+qA==
  Subject: CN=dhcp-100-19-202.testrelm,O=TESTRELM
  Issuer: CN=Certificate Authority,O=TESTRELM
  Not Before: Mon Jun 13 13:39:27 2011 UTC
  Not After: Sat Dec 10 13:39:27 2011 UTC
  Fingerprint (MD5): 23:9d:48:e7:83:b9:64:0f:a5:37:16:d0:9d:87:e5:a6
  Fingerprint (SHA1): d3:08:d1:00:10:52:98:c8:99:eb:0e:26:34:56:0a:df:c0:8a:2d:6d
  Serial number: 21
:: [09:39:37] ::  cert req [/tmp/tmp.cAcrn27OS8/certreq.2275.csr]
:: [   PASS   ] :: kinit as admin


http errors_log:

[Mon Jun 13 09:39:30 2011] [error] ipa: INFO: admin@TESTRELM: ping(): SUCCESS
[Mon Jun 13 09:39:30 2011] [error] ipa: INFO: sslget 'https://dhcp-100-19-202.testrelm:9443/ca/agent/ca/doRevoke'
[Mon Jun 13 09:39:30 2011] [error] ipa: ERROR: non-public: XMLSyntaxError: AttValue: " or ' expected, line 2, column 14
[Mon Jun 13 09:39:30 2011] [error] Traceback (most recent call last):
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 217, in wsgi_execute
[Mon Jun 13 09:39:30 2011] [error]     result = self.Command[name](*args, **options)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 422, in __call__
[Mon Jun 13 09:39:30 2011] [error]     ret = self.run(*args, **options)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 728, in run
[Mon Jun 13 09:39:30 2011] [error]     return self.execute(*args, **options)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 556, in execute
[Mon Jun 13 09:39:30 2011] [error]     result=self.Backend.ra.revoke_certificate(serial_number, **kw)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line 1544, in revoke_certificate
[Mon Jun 13 09:39:30 2011] [error]     parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line 1263, in get_parse_result_xml
[Mon Jun 13 09:39:30 2011] [error]     doc = etree.fromstring(xml_text, parser)
[Mon Jun 13 09:39:30 2011] [error]   File "lxml.etree.pyx", line 2532, in lxml.etree.fromstring (src/lxml/lxml.etree.c:48270)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 1545, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 1424, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 938, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 539, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:63824)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 625, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 565, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64088)
[Mon Jun 13 09:39:30 2011] [error] XMLSyntaxError: AttValue: " or ' expected, line 2, column 14
[Mon Jun 13 09:39:30 2011] [error] ipa: INFO: admin@TESTRELM: cert_revoke(u'21', revocation_reason=7): XMLSyntaxError


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-23.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.  see description - this test is automated
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Dmitri Pal 2011-06-13 16:03:23 UTC 
https://fedorahosted.org/freeipa/ticket/1318
Comment 3 Martin Kosek 2011-06-15 14:44:14 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/cbc5df4536320843f3eed0dc54755bf21922e2c7
ipa-2-0: https://fedorahosted.org/freeipa/changeset/cae4de5036b7d565f9dc1ea140070fc753c9c66c
Comment 5 Jenny Severance 2011-08-22 16:46:16 UTC 
what is 7 not valid now ???

ipa: ERROR: Certificate operation cannot be completed: 7 is not a valid revocation reason
Comment 6 Rob Crittenden 2011-08-22 17:01:17 UTC 
reason 7 is not defined.

See section 5.3.1 in http://www.ietf.org/rfc/rfc5280.txt
Comment 7 Rob Crittenden 2011-10-31 19:54:33 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: A request to set a certificate revocation reason to 7 would cause the request to fail.
Consequence: The certificate was not revoked.
Fix: Reason 7 is not a valid revocation reason according to RFC 5280.
Result: An error message is returned to the user.
Comment 8 Namita Soman 2011-11-06 04:27:44 UTC 
Verified using ipa-server-2.1.3-8.el6.x86_64

# ipa cert-revoke 17 --revocation-reason=7 
ipa: ERROR: Certificate operation cannot be completed: 7 is not a valid revocation reason
Comment 9 errata-xmlrpc 2011-12-06 18:33:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.