Bug 999255 - ipa cert-find --revocation=reason 1 finds certs expired for reason 1 and reason 10
ipa cert-find --revocation=reason 1 finds certs expired for reason 1 and reas...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Matthew Harmsen
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-20 23:32 EDT by Michael Gregg
Modified: 2015-02-13 06:48 EST (History)
4 users (show)

See Also:
Fixed In Version: pki-core-10.0.5-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:02:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Gregg 2013-08-20 23:32:26 EDT
Description of problem:
Running ipa cert-find --revocation-reason=1 returns certs expired for reason 1 and reason 10.

Version-Release number of selected component (if applicable):
ipa-server-3.3.0-6.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. create csr with openssl req -new -nodes -out /tmp/new.csr
2. ipa cert-request --add --principal=REASON1/ipaqavmg.testrelm.com /tmp/new.csr
3. ipa cert-request --add --principal=REASON10/ipaqavmg.testrelm.com /tmp/new.csr
4. ipa cert-revoke --revocation-reason=1 <ID of first cert>
5. ipa cert-revoke --revocation-reason=10 <ID of second cert>
6. ipa cert-find --revocation-reason=1

Actual results:
This ipa cert-find returns both of the revoked certs.


Expected results:
for ipa cert-find --revocation-reason=1 to only return certs expired for reason 1.
Comment 2 Rob Crittenden 2013-08-21 08:54:17 EDT
Can you try the same search using the pki command?

% pki cert-find --revocationReason 1

This will help narrow down whether the problem is in the way that IPA is calling the CS API or a problem with CS.
Comment 3 Michael Gregg 2013-08-21 14:05:28 EDT
It appears that "pki cert-find --revocationReason 1" does find certs expired for reason 1 and reason 10. 

So, is this expected behavior, or is this a pki bug?

[root@ipaqa64vmd ~]# ipa cert-revoke --revocation-reason=1 26
  Revoked: True
[root@ipaqa64vmd ~]# ipa cert-revoke --revocation-reason=10 27
  Revoked: True
[root@ipaqa64vmd ~]# pki cert-find --revocationReason 1
----------------------
2 certificate(s) found
----------------------
  Serial Number: 0x1a
  Subject DN: CN=ipaqa64vmd.testrelm.com,O=TESTRELM.COM
  Status: REVOKED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Aug 21 13:59:48 EDT 2013
  Not Valid After: Sat Aug 22 13:59:48 EDT 2015
  Issued On: Wed Aug 21 13:59:48 EDT 2013
  Issued By: ipara

  Serial Number: 0x1b
  Subject DN: CN=ipaqa64vmd.testrelm.com,O=TESTRELM.COM
  Status: REVOKED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Aug 21 14:00:46 EDT 2013
  Not Valid After: Sat Aug 22 14:00:46 EDT 2015
  Issued On: Wed Aug 21 14:00:46 EDT 2013
  Issued By: ipara
----------------------------
Number of entries returned 2
Comment 4 Rob Crittenden 2013-08-21 14:36:16 EDT
Ok, re-assigning this to the pki team.
Comment 5 Nathan Kinder 2013-08-21 16:43:55 EDT
Upstream ticket:
https://fedorahosted.org/pki/ticket/712
Comment 7 Namita Soman 2013-12-09 13:34:31 EST
Verified using ipa-server-3.3.3-4, pki-ca-10.0.5-2

Test output from automated run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-cert-bugzilla-004: LDAP cert-find --revocation-reason=1 find certs for reason 1 and reason 10 bz999255
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 14:10:25 ] ::  Ip address is 10.16.98.179
:: [ 14:10:25 ] ::  creating new host with IP 10.16.98.180
------------------------------------------
Added host "testhostbz999255.testrelm.com"
------------------------------------------
  Host name: testhostbz999255.testrelm.com
  Principal name: host/testhostbz999255.testrelm.com@TESTRELM.COM
  Password: False
  Keytab: False
  Managed by: testhostbz999255.testrelm.com
:: [   PASS   ] :: Creating host to test with this BZ test (Expected 0, got 0)
openssl req -new -config /opt/rhqa_ipa/testhostBZ999255.testrelm.com.cert-req.conf -out /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr
Generating a 2048 bit RSA private key
..........+++
..................+++
writing new private key to 'teste.key'
-----
:: [   PASS   ] :: Create a new CSR to work withnhost (Expected 0, got 0)
ipa cert-request --add --principal=INVALIDA/testhostBZ999255.testrelm.com /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr
  Certificate: MIIEHzCCAwegAwIBAgIBPjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzExMTUxOTEwMjlaFw0xNTExMTYxOTEwMjlaMD8xFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEmMCQGA1UEAxMddGVzdGhvc3RCWjk5OTI1NS50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3WCnTnFoegCIvPKyCq0g3ZP4OqvnycFWtXtjiYSUNJzQY8lrTfF8i5FARWmK64zl+sxcbE0hP52xo9EPTY2Do1fJMfYD9qniOpZjsGViEgCx3tdT/GzQ+uCC9RdAEPDNjFxlARrjYYax9xPzJ4Pb5p2gD/T3HvRG6eYqzrMb4kOT+iqFaOkjGRpzbSBmXxg/eBfZzstBMvBNJWHilHEn+yMc6EzwGDLmmgzx75gX3fQsxDJZkiiqQmQOHcT/38OCLdV8g8ym4dAfFxGThkC9EhFRLUbQM5lE9H3RdxLIGM4fxslOr9vME+Yk0Feaa+AsGLgwiDUqoIpINy/7Xg2jjAgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBRvSHGseMcXg9zGzQlvoF5PKo6XcDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EudGVzdHJlbG0uY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLnRlc3RyZWxtLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoTBWlwYWNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFBortNXLuiykpeTS/sKqw89JlTISMA0GCSqGSIb3DQEBCwUAA4IBAQCrm8XWtK6ds9hGVuj1r4tElSxSXEY7t5PxX2EcedTC5eaZcXdWCHKOtxCxTyMIVDjTPZqILcKWNk0uu9aSJlbSUaV8FJ3Ez0kFsEwLUIDt90e0vP9ZVZm1AKVk2mK/9UuputOlGbY2BFwj7RcXCMJsi5Skl0wuqJdDBNdq2FWsrdsLWK668+EWaKnAOQD3I9I9S3urDYmQrI5PbqQzqANtoEkjDgt1JZmPtAAOhqSUnHPzWu86S25NhrPaCRep1Ci+zHmKQFdEor4gCjX1hboFzsLBG5loAqqyJuZTz/LYTINrvjghnDB7FPSNhykodWK0dTzUMPyHMIYQhyIJfmPf
  Subject: CN=testhostBZ999255.testrelm.com,O=TESTRELM.COM
  Issuer: CN=Certificate Authority,O=TESTRELM.COM
  Not Before: Fri Nov 15 19:10:29 2013 UTC
  Not After: Mon Nov 16 19:10:29 2015 UTC
  Fingerprint (MD5): 9a:64:89:9f:f9:ab:22:39:b1:39:5d:0a:06:70:d7:62
  Fingerprint (SHA1): c2:9f:9a:81:e2:f7:75:32:a7:b1:37:a9:c6:2e:58:d5:c8:0e:d7:c0
  Serial number: 62
  Serial number (hex): 0x3E
:: [   PASS   ] :: Request the csr into IPA (Expected 0, got 0)
ipa cert-request --add --principal=INVALIDB/testhostBZ999255.testrelm.com /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr
  Certificate: MIIEHzCCAwegAwIBAgIBPzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzExMTUxOTEwMzFaFw0xNTExMTYxOTEwMzFaMD8xFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEmMCQGA1UEAxMddGVzdGhvc3RCWjk5OTI1NS50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3WCnTnFoegCIvPKyCq0g3ZP4OqvnycFWtXtjiYSUNJzQY8lrTfF8i5FARWmK64zl+sxcbE0hP52xo9EPTY2Do1fJMfYD9qniOpZjsGViEgCx3tdT/GzQ+uCC9RdAEPDNjFxlARrjYYax9xPzJ4Pb5p2gD/T3HvRG6eYqzrMb4kOT+iqFaOkjGRpzbSBmXxg/eBfZzstBMvBNJWHilHEn+yMc6EzwGDLmmgzx75gX3fQsxDJZkiiqQmQOHcT/38OCLdV8g8ym4dAfFxGThkC9EhFRLUbQM5lE9H3RdxLIGM4fxslOr9vME+Yk0Feaa+AsGLgwiDUqoIpINy/7Xg2jjAgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBRvSHGseMcXg9zGzQlvoF5PKo6XcDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EudGVzdHJlbG0uY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLnRlc3RyZWxtLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoTBWlwYWNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFBortNXLuiykpeTS/sKqw89JlTISMA0GCSqGSIb3DQEBCwUAA4IBAQDiww1T3v4NlB11RZAL4DmNgo65xaWzdZTCO0L40VMXHBf4QqXozlUdh8GFQCXvyj8OlB6om6K3Qok6OhKjEfHWyfaCsxcDoeU0dUjcl8rx8YfCYuhlC2iT/uGSSMF5Up2SirqCF0+KjwignUvHTDFKfrQY0h4zFpA141QlOklSMqdjL28/HU6IzcmDfC/RDlS6a9AgRMQC0Q6jY8g4UBx6nMC0Z4uKfGqvt0ZTGTfptIZhbFJ/NHf21+uZcwTy7Udki34H4ieVQCuz3zbzx2PRVxLLbziVMQOw5vCnzXfsMjyFMOLqIckN8Oyj8aIUCicYk5hctmvKuGPMLnVySRzo
  Subject: CN=testhostBZ999255.testrelm.com,O=TESTRELM.COM
  Issuer: CN=Certificate Authority,O=TESTRELM.COM
  Not Before: Fri Nov 15 19:10:31 2013 UTC
  Not After: Mon Nov 16 19:10:31 2015 UTC
  Fingerprint (MD5): a4:7a:b0:87:50:9d:0e:b5:ea:f0:5e:89:4e:d6:b8:a2
  Fingerprint (SHA1): 65:a5:ff:b7:83:38:b6:37:c0:3d:22:e5:1a:ef:e8:23:e3:1e:e1:fd
  Serial number: 63
  Serial number (hex): 0x3F
:: [   PASS   ] :: Request the csr into IPA (Expected 0, got 0)
  Revoked: True
:: [   PASS   ] :: Revoke cert 62 for reason 1 (Expected 0, got 0)
  Revoked: True
:: [   PASS   ] :: Revoke cert 63 for reason 10 (Expected 0, got 0)
:: [   PASS   ] :: The correct number of revoded certs were returned for reasons 1 and 10.
Comment 8 Ludek Smid 2014-06-13 08:02:49 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.