999255 – ipa cert-find --revocation=reason 1 finds certs expired for reason 1 and reason 10

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 999255 - ipa cert-find --revocation=reason 1 finds certs expired for reason 1 and reason 10

Summary: ipa cert-find --revocation=reason 1 finds certs expired for reason 1 and reas...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-21 03:32 UTC by Michael Gregg
Modified:	2020-10-04 20:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pki-core-10.0.5-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:02:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 1281	0	None	None	None	2020-10-04 20:38:30 UTC

Description Michael Gregg 2013-08-21 03:32:26 UTC

Description of problem:
Running ipa cert-find --revocation-reason=1 returns certs expired for reason 1 and reason 10.

Version-Release number of selected component (if applicable):
ipa-server-3.3.0-6.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. create csr with openssl req -new -nodes -out /tmp/new.csr
2. ipa cert-request --add --principal=REASON1/ipaqavmg.testrelm.com /tmp/new.csr
3. ipa cert-request --add --principal=REASON10/ipaqavmg.testrelm.com /tmp/new.csr
4. ipa cert-revoke --revocation-reason=1 <ID of first cert>
5. ipa cert-revoke --revocation-reason=10 <ID of second cert>
6. ipa cert-find --revocation-reason=1

Actual results:
This ipa cert-find returns both of the revoked certs.


Expected results:
for ipa cert-find --revocation-reason=1 to only return certs expired for reason 1.

Comment 2 Rob Crittenden 2013-08-21 12:54:17 UTC

Can you try the same search using the pki command?

% pki cert-find --revocationReason 1

This will help narrow down whether the problem is in the way that IPA is calling the CS API or a problem with CS.

Comment 3 Michael Gregg 2013-08-21 18:05:28 UTC

It appears that "pki cert-find --revocationReason 1" does find certs expired for reason 1 and reason 10. 

So, is this expected behavior, or is this a pki bug?

[root@ipaqa64vmd ~]# ipa cert-revoke --revocation-reason=1 26
  Revoked: True
[root@ipaqa64vmd ~]# ipa cert-revoke --revocation-reason=10 27
  Revoked: True
[root@ipaqa64vmd ~]# pki cert-find --revocationReason 1
----------------------
2 certificate(s) found
----------------------
  Serial Number: 0x1a
  Subject DN: CN=ipaqa64vmd.testrelm.com,O=TESTRELM.COM
  Status: REVOKED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Aug 21 13:59:48 EDT 2013
  Not Valid After: Sat Aug 22 13:59:48 EDT 2015
  Issued On: Wed Aug 21 13:59:48 EDT 2013
  Issued By: ipara

  Serial Number: 0x1b
  Subject DN: CN=ipaqa64vmd.testrelm.com,O=TESTRELM.COM
  Status: REVOKED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Aug 21 14:00:46 EDT 2013
  Not Valid After: Sat Aug 22 14:00:46 EDT 2015
  Issued On: Wed Aug 21 14:00:46 EDT 2013
  Issued By: ipara
----------------------------
Number of entries returned 2

Comment 4 Rob Crittenden 2013-08-21 18:36:16 UTC

Ok, re-assigning this to the pki team.

Comment 5 Nathan Kinder 2013-08-21 20:43:55 UTC

Upstream ticket:
https://fedorahosted.org/pki/ticket/712

Comment 7 Namita Soman 2013-12-09 18:34:31 UTC

Verified using ipa-server-3.3.3-4, pki-ca-10.0.5-2

Test output from automated run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-cert-bugzilla-004: LDAP cert-find --revocation-reason=1 find certs for reason 1 and reason 10 bz999255
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 14:10:25 ] ::  Ip address is 10.16.98.179
:: [ 14:10:25 ] ::  creating new host with IP 10.16.98.180
------------------------------------------
Added host "testhostbz999255.testrelm.com"
------------------------------------------
  Host name: testhostbz999255.testrelm.com
  Principal name: host/testhostbz999255.testrelm.com
  Password: False
  Keytab: False
  Managed by: testhostbz999255.testrelm.com
:: [   PASS   ] :: Creating host to test with this BZ test (Expected 0, got 0)
openssl req -new -config /opt/rhqa_ipa/testhostBZ999255.testrelm.com.cert-req.conf -out /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr
Generating a 2048 bit RSA private key
..........+++
..................+++
writing new private key to 'teste.key'
-----
:: [   PASS   ] :: Create a new CSR to work withnhost (Expected 0, got 0)
ipa cert-request --add --principal=INVALIDA/testhostBZ999255.testrelm.com /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr
  Certificate: MIIEHzCCAwegAwIBAgIBPjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzExMTUxOTEwMjlaFw0xNTExMTYxOTEwMjlaMD8xFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEmMCQGA1UEAxMddGVzdGhvc3RCWjk5OTI1NS50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3WCnTnFoegCIvPKyCq0g3ZP4OqvnycFWtXtjiYSUNJzQY8lrTfF8i5FARWmK64zl+sxcbE0hP52xo9EPTY2Do1fJMfYD9qniOpZjsGViEgCx3tdT/GzQ+uCC9RdAEPDNjFxlARrjYYax9xPzJ4Pb5p2gD/T3HvRG6eYqzrMb4kOT+iqFaOkjGRpzbSBmXxg/eBfZzstBMvBNJWHilHEn+yMc6EzwGDLmmgzx75gX3fQsxDJZkiiqQmQOHcT/38OCLdV8g8ym4dAfFxGThkC9EhFRLUbQM5lE9H3RdxLIGM4fxslOr9vME+Yk0Feaa+AsGLgwiDUqoIpINy/7Xg2jjAgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBRvSHGseMcXg9zGzQlvoF5PKo6XcDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EudGVzdHJlbG0uY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLnRlc3RyZWxtLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoTBWlwYWNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFBortNXLuiykpeTS/sKqw89JlTISMA0GCSqGSIb3DQEBCwUAA4IBAQCrm8XWtK6ds9hGVuj1r4tElSxSXEY7t5PxX2EcedTC5eaZcXdWCHKOtxCxTyMIVDjTPZqILcKWNk0uu9aSJlbSUaV8FJ3Ez0kFsEwLUIDt90e0vP9ZVZm1AKVk2mK/9UuputOlGbY2BFwj7RcXCMJsi5Skl0wuqJdDBNdq2FWsrdsLWK668+EWaKnAOQD3I9I9S3urDYmQrI5PbqQzqANtoEkjDgt1JZmPtAAOhqSUnHPzWu86S25NhrPaCRep1Ci+zHmKQFdEor4gCjX1hboFzsLBG5loAqqyJuZTz/LYTINrvjghnDB7FPSNhykodWK0dTzUMPyHMIYQhyIJfmPf
  Subject: CN=testhostBZ999255.testrelm.com,O=TESTRELM.COM
  Issuer: CN=Certificate Authority,O=TESTRELM.COM
  Not Before: Fri Nov 15 19:10:29 2013 UTC
  Not After: Mon Nov 16 19:10:29 2015 UTC
  Fingerprint (MD5): 9a:64:89:9f:f9:ab:22:39:b1:39:5d:0a:06:70:d7:62
  Fingerprint (SHA1): c2:9f:9a:81:e2:f7:75:32:a7:b1:37:a9:c6:2e:58:d5:c8:0e:d7:c0
  Serial number: 62
  Serial number (hex): 0x3E
:: [   PASS   ] :: Request the csr into IPA (Expected 0, got 0)
ipa cert-request --add --principal=INVALIDB/testhostBZ999255.testrelm.com /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr
  Certificate: MIIEHzCCAwegAwIBAgIBPzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzExMTUxOTEwMzFaFw0xNTExMTYxOTEwMzFaMD8xFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEmMCQGA1UEAxMddGVzdGhvc3RCWjk5OTI1NS50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3WCnTnFoegCIvPKyCq0g3ZP4OqvnycFWtXtjiYSUNJzQY8lrTfF8i5FARWmK64zl+sxcbE0hP52xo9EPTY2Do1fJMfYD9qniOpZjsGViEgCx3tdT/GzQ+uCC9RdAEPDNjFxlARrjYYax9xPzJ4Pb5p2gD/T3HvRG6eYqzrMb4kOT+iqFaOkjGRpzbSBmXxg/eBfZzstBMvBNJWHilHEn+yMc6EzwGDLmmgzx75gX3fQsxDJZkiiqQmQOHcT/38OCLdV8g8ym4dAfFxGThkC9EhFRLUbQM5lE9H3RdxLIGM4fxslOr9vME+Yk0Feaa+AsGLgwiDUqoIpINy/7Xg2jjAgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBRvSHGseMcXg9zGzQlvoF5PKo6XcDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EudGVzdHJlbG0uY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLnRlc3RyZWxtLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoTBWlwYWNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFBortNXLuiykpeTS/sKqw89JlTISMA0GCSqGSIb3DQEBCwUAA4IBAQDiww1T3v4NlB11RZAL4DmNgo65xaWzdZTCO0L40VMXHBf4QqXozlUdh8GFQCXvyj8OlB6om6K3Qok6OhKjEfHWyfaCsxcDoeU0dUjcl8rx8YfCYuhlC2iT/uGSSMF5Up2SirqCF0+KjwignUvHTDFKfrQY0h4zFpA141QlOklSMqdjL28/HU6IzcmDfC/RDlS6a9AgRMQC0Q6jY8g4UBx6nMC0Z4uKfGqvt0ZTGTfptIZhbFJ/NHf21+uZcwTy7Udki34H4ieVQCuz3zbzx2PRVxLLbziVMQOw5vCnzXfsMjyFMOLqIckN8Oyj8aIUCicYk5hctmvKuGPMLnVySRzo
  Subject: CN=testhostBZ999255.testrelm.com,O=TESTRELM.COM
  Issuer: CN=Certificate Authority,O=TESTRELM.COM
  Not Before: Fri Nov 15 19:10:31 2013 UTC
  Not After: Mon Nov 16 19:10:31 2015 UTC
  Fingerprint (MD5): a4:7a:b0:87:50:9d:0e:b5:ea:f0:5e:89:4e:d6:b8:a2
  Fingerprint (SHA1): 65:a5:ff:b7:83:38:b6:37:c0:3d:22:e5:1a:ef:e8:23:e3:1e:e1:fd
  Serial number: 63
  Serial number (hex): 0x3F
:: [   PASS   ] :: Request the csr into IPA (Expected 0, got 0)
  Revoked: True
:: [   PASS   ] :: Revoke cert 62 for reason 1 (Expected 0, got 0)
  Revoked: True
:: [   PASS   ] :: Revoke cert 63 for reason 10 (Expected 0, got 0)
:: [   PASS   ] :: The correct number of revoded certs were returned for reasons 1 and 10.

Comment 8 Ludek Smid 2014-06-13 12:02:49 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.