search

pki-bot / pki-issues-final

0 stars 0 forks source link

KRA subsystem fails to report invalid KRA transport cert #2146

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #2597. Originally filed by cheimes (@tiran) on 2017-02-17 15:02:26:

The KRA subsysem and pki.key fail to give a proper error message when an invalid certificate is used instead of the correct KRA transport cert.

For https://fedorahosted.org/freeipa/ticket/6652 I wanted to find out how the KRA subsystem signals an invalid KRA transport cert. I changed some code locally to use a completely unrelated certificate in ipaclient.plugins.vault.

The REST interface of the KRA subsystem doesn't report an error. Instead of a HTTP error, it simply returns an empty json object {}, although I see a java.security.InvalidKeyException in the internal debug log of KRA.

pki.key doesn't handle the empty JSON gracefully. This leads to a TypeError later.

== /var/log/pki/pki-tomcat/kra/debug

[17/Feb/2017:12:40:56][ajp-nio-127.0.0.1-8009-exec-10]: EncryptionUnit.decryptInternalPrivate
[17/Feb/2017:12:40:56][ajp-nio-127.0.0.1-8009-exec-10]: decryptInternalPrivate(): getting key wrapper on slot:Internal Key Storage Token
[17/Feb/2017:12:40:56][ajp-nio-127.0.0.1-8009-exec-10]: SecurityDataRecoveryService: secure retrieved data with session key
[17/Feb/2017:12:40:56][ajp-nio-127.0.0.1-8009-exec-10]: SecurityDataRecoveryService: encrypt stored passphrase with session key
[17/Feb/2017:12:40:56][ajp-nio-127.0.0.1-8009-exec-10]: EncryptionUnit::unwrap_sym() private key algo: RSA
[17/Feb/2017:12:40:56][ajp-nio-127.0.0.1-8009-exec-10]: EncryptionUnit::unwrap_sym() error:org.mozilla.jss.crypto.TokenException: Failed to unwrap key
[17/Feb/2017:12:40:56][ajp-nio-127.0.0.1-8009-exec-10]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED

[17/Feb/2017:12:40:56][ajp-nio-127.0.0.1-8009-exec-10]: KRAService serviceRequest EBaseException:Cannot encrypt passphrase: java.security.InvalidKeyException: Key is null

== /var/log/pki/pki-tomcat/localhost_access_log.2017-02-17.txt

192.168.121.252 - ipakra [17/Feb/2017:12:40:56 +0000] "GET /kra/rest/account/login HTTP/1.1" 200 121
192.168.121.252 - ipakra [17/Feb/2017:12:40:56 +0000] "GET /kra/rest/agent/keys?status=active&clientKeyID=ipa%3A%2Fusers%2Fadmin%2Ftest HTTP/1.1" 200 173
192.168.121.252 - ipakra [17/Feb/2017:12:40:56 +0000] "POST /kra/rest/agent/keyrequests HTTP/1.1" 201 218
192.168.121.252 - ipakra [17/Feb/2017:12:40:56 +0000] "POST /kra/rest/agent/keyrequests/869/approve HTTP/1.1" 204 -
192.168.121.252 - ipakra [17/Feb/2017:12:40:56 +0000] "POST /kra/rest/agent/keys/retrieve HTTP/1.1" 200 2

== /var/log/httpd/error_log

[Fri Feb 17 12:40:56.743006 2017] [wsgi:error] [pid 18802] ipa: ERROR: non-public: TypeError: a2b_base64() argument 1 must be string or buffer, not None
[Fri Feb 17 12:40:56.743017 2017] [wsgi:error] [pid 18802] Traceback (most recent call last):
[Fri Feb 17 12:40:56.743019 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Fri Feb 17 12:40:56.743021 2017] [wsgi:error] [pid 18802]     result = command(*args, **options)
[Fri Feb 17 12:40:56.743022 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Fri Feb 17 12:40:56.743023 2017] [wsgi:error] [pid 18802]     return self.__do_call(*args, **options)
[Fri Feb 17 12:40:56.743025 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Fri Feb 17 12:40:56.743026 2017] [wsgi:error] [pid 18802]     ret = self.run(*args, **options)
[Fri Feb 17 12:40:56.743027 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Fri Feb 17 12:40:56.743029 2017] [wsgi:error] [pid 18802]     return self.execute(*args, **options)
[Fri Feb 17 12:40:56.743030 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/vault.py", line 1128, in execute
[Fri Feb 17 12:40:56.743031 2017] [wsgi:error] [pid 18802]     wrapped_session_key)
[Fri Feb 17 12:40:56.743032 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 304, in handler
[Fri Feb 17 12:40:56.743034 2017] [wsgi:error] [pid 18802]     return fn_call(inst, *args, **kwargs)
[Fri Feb 17 12:40:56.743035 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/pki/key.py", line 941, in retrieve_key
[Fri Feb 17 12:40:56.743036 2017] [wsgi:error] [pid 18802]     key = self.retrieve_key_data(request)
[Fri Feb 17 12:40:56.743038 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 304, in handler
[Fri Feb 17 12:40:56.743039 2017] [wsgi:error] [pid 18802]     return fn_call(inst, *args, **kwargs)
[Fri Feb 17 12:40:56.743040 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/pki/key.py", line 884, in retrieve_key_data
[Fri Feb 17 12:40:56.743041 2017] [wsgi:error] [pid 18802]     return Key(key_data)
[Fri Feb 17 12:40:56.743043 2017] [wsgi:error] [pid 18802]   File "/usr/lib/python2.7/site-packages/pki/key.py", line 92, in __init__
[Fri Feb 17 12:40:56.743044 2017] [wsgi:error] [pid 18802]     key_data.wrapped_private_data)
[Fri Feb 17 12:40:56.743045 2017] [wsgi:error] [pid 18802]   File "/usr/lib64/python2.7/base64.py", line 75, in b64decode
[Fri Feb 17 12:40:56.743047 2017] [wsgi:error] [pid 18802]     return binascii.a2b_base64(s)
[Fri Feb 17 12:40:56.743048 2017] [wsgi:error] [pid 18802] TypeError: a2b_base64() argument 1 must be string or buffer, not None
[Fri Feb 17 12:40:56.743201 2017] [wsgi:error] [pid 18802] ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: vault_retrieve_internal/1(u'test', session_key="\\r'\\x03\\xf4A,K\\xc3NX^>jm:r&\\xf3\\xca\\x9cS\\xb6\\x81\\x18\\xa1\\xe2q\\x9f\\x89\\x86\\x16\\xb7G\\xa6\\x83\\xc27\\xe6z;x\\x16\\xfe\\xfb\\xed\\xea`2\\xe1\\xc9S\\r\\xeb3\\xddh\\xb2\\xc13\\x90-\\xf2\\\\eFu9NGS\\xf2f\\x12=\\xe1B\\xa9\\xa0\\xc0\\x04pRM\\xb7\\x9b\\xa56\\x8c\\x85I\\nY\\xcf\\xfeH\\xa1\\x1aw\\xb8\\xe3\\xdab\\x15p?\\xffp\\xad\\xb3\\x864\\xd6\\x9e\\xd9\\xd2RTT\\xfd\\xcfl\\t\\xfd\\xf03Q\\xdd):\\xa2\\xa4#I\\xda\\xd0\\xaf~C\\xa3\\x11?\\x88J\\x8e\\x96\\xf3\\xc4\\xbd^\\xe3\\xc1\\x7f\\xda\\x8bM#>E\\xd4\\xe9%5\\x0e\\xde\\xd1\\xb5\\xca$\\x8a(\\xb3\\xda!\\x93g\\xa4\\x05;\\x98>\\xa8\\x97\\t\\x87\\xf7?\\xc1\\x1f\\x17\\xd3\\xf3\\xe8Y\\xd9\\xbb\\xed[\\r?\\x94-\\xf7\\xf1~\\xf7J\\x1eh\\x05\\x98\\xf5,\\x16\\xee\\xa2\\x17\\xd1\\xe6Ph\\x9d;\\x7f\\xcf1\\x1c!\\xa1\\xb2\\xb5\\xb7\\x02\\xf9\\xa9\\x9d\\x9a\\x10\\xcdk5\\x05\\x08\\xd0\\x1a\\x0bt\\x86\\x9b\\x98E\\xa8\\x16\\xe8N9\\x8a", version=u'2.218'): InternalErro
pki-bot commented 4 years ago

Comment from cheimes (@tiran) at 2017-02-27 14:00:14

Metadata Update from @tiran:

pki-bot commented 4 years ago

Comment from cheimes (@tiran) at 2017-04-04 12:57:02

I would appreciate if both problems (java.security.InvalidKeyException handling and pki.key) are solved for 10.4. A proper handling of invalid transport key is going to allow to improve vault integration in FreeIPA 4.7. Target platforms are Fedora 27 and RHEL 7.5.

pki-bot commented 4 years ago

Comment from cheimes (@tiran) at 2017-04-04 12:57:04

Metadata Update from @tiran:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-04-04 12:59:34

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-04-04 13:00:13

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-04-04 16:48:05

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from cheimes (@tiran) at 2017-04-26 12:26:05

Related issue: KRA subsystem does not report KRAService serviceRequest EBaseException:Can't decrypt passphrase to client, too. https://pagure.io/freeipa/issue/6899

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-08-09 12:37:22

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-08-09 12:37:23

Metadata Update from @mharmsen: