Description of problem: Console provides a Manage certificates window for managing server certificates, CA certificates and certificate revocation lists. A user should be able to import CRL from Revoked Certs -> Add menu by specifying a path to CRL. This currently does not work, even though CRL can be imported from command line.
Steps to Reproduce: 1. Make sure CA certificate is imported in certdb of DS 2. Obtain CRL in DER format: [jrusnack@dstet ~]$ openssl crl -inform DER -in /myca.crl -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=CZ/L=Brno/O=Redhat Inc. Last Update: May 24 11:16:40 2013 GMT Next Update: Jun 23 11:16:40 2013 GMT CRL extensions: X509v3 CRL Number: 2 Revoked Certificates: Serial Number: 01 Revocation Date: May 24 09:51:35 2013 GMT Signature Algorithm: sha1WithRSAEncryption 2c:01:5d:d4:ac:6d:bf:ce:6e:dd:55:52:30:4d:bc:57:b8:2b: b5:32:ca:b2:e3:79:32:a4:04:33:82:56:fc:ab:41:74:7d:12: 5a:36:9b:be:b8:6d:86:e0:34:b4:cc:34:8e:05:41:38:3a:47: e9:3d:e3:19:53:8d:a9:2e:7c:5c:f9:3e:0b:cb:78:71:d1:b9: c7:d5:64:7b:64:52:76:e0:57:79:0e:2d:e5:1c:fe:22:e1:8f: c6:4a:44:b2:bb:71:ea:63:3b:6e:14:38:01:8f:30:42:b2:a5: 95:d4:12:e1:34:9f:99:8d:bc:b3:09:8e:39:80:ac:e4:c1:f0: 84:fb:b1:76:79:30:64:80:e7:3f:c9:75:04:7d:df:76:56:23: 31:4e:ba:45:2d:00:58:85:e9:83:6c:66:c7:f0:0d:8b:91:4d: c2:33:ef:aa:ca:00:12:a4:5c:77:da:a7:b5:91:78:88:c5:ae: fd:3a:68:c0:74:cb:5a:f2:b8:04:cd:5d:9e:46:1f:95:fb:05: 55:09:61:09:b0:68:1e:81:82:fd:6a:cd:91:ca:1c:5d:e0:ad: 39:f9:c8:bb:a8:a5:3e:6a:22:23:69:51:2b:c7:64:97:29:ac: 9a:66:e5:1e:99:4c:d5:65:50:87:b8:5a:d4:db:9a:df:1a:9b: 8b:3a:44:4e [jrusnack@dstet ~]$ ls -l /myca.crl -rwxrwxrwx. 1 jrusnack jrusnack 621 May 24 12:07 /myca.crl
Enter CRL/CLK file: /myca.crl - File contain a Certificate Revocation List (CRL) File contain a Compromised Key List (CKL)
Error is returned "Could not open file /myca.crl. File does not exist or filename is invalid.", see the attachment.
Actual results: Import of CRL via console should be successful
The issue here is that the CRL file can only be imported from the directory where the cert/key databases exist. This is mentioned in the on-line help page that is accessed by clicking on the "Help" button on the "Add CRL/CKL" dialog in Console. Here is what the help page states:
{{{Enter CRL/CKL file. Provide the name of the file containing the CRL or CKL. This file must exist in the same directory as your key and cert database.}}}
Only the filename for the CRL/CKL file should be specified in the console. An absolute or relative path does not work. We can improve the validation of the filename to present a more useful error message. We can also improve the text in the dialog so it is clear that you are supposed to only input a CRL/CKL filename that must exist in the certificate database location.
There might still be other issues with CRL/CKL importing, as I am getting errors about an invalid CRL even when I use a correct filename.
The security CGI expects the CRL file to be in PEM format (base64 encoded DER). I was previously trying to import a CRL in DER format, which triggered the "invalid CRL/CKL" message. The "Add CRL/CKL" dialog, on-line help page, and error message should be improved to make it clear that the expected format is PEM.
Admin Server patch 0001-Ticket-47467-Improve-CRL-import-error-messages.patch
Screenshot (CRL path error) <img alt="console-crlpath-error.png" src="/389-ds-base/issue/raw/files/359c644a0dd8e40e2233307219eea57b9e9677b8940cf8751446760f743aeb9b-console-crlpath-error.png" />
Screenshot (CRL format error) <img alt="cosole-crlformat-error.png" src="/389-ds-base/issue/raw/files/804032f13ad3b9c7985747fdf836533b7de00901df61c893d42f5bbce5094311-cosole-crlformat-error.png" />
The attached Admin Server patch improves the error messages that are returned by the security CGI. I have attached screenshots that show these new error messages as displayed by Console.
Additional changes are needed to 389-admin-console to improve the online-help, and idm-console-framework to improve the "Add CRL/CKL" dialog.
idm-console-framework patch 0001-Ticket-47467-Improve-CRL-import-dialog-text.patch
Screenshot (CRL Dialog) <img alt="console-crldialog.png" src="/389-ds-base/issue/raw/files/74425a6e4b44b7162a44b7fab106b8b11aace01de4386da851eb463bd93a2205-console-crldialog.png" />
The attached IDM Console Framework patch improves the text on the "Add CRL/CKL" dialog. The new dialog can be see in the attached screenshot.
389-admin-console patch 0001-Ticket-47467-Improve-online-help-for-Add-CRL-dialog.patch
The attached 389-admin-console patch improves the online help page that is accessed from the Console.
Thanks to Noriko for her reviews! Patches pushed to master:
Counting objects: 9, done. Delta compression using up to 8 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (5/5), 837 bytes, done. Total 5 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 4555aff..0de3949 master -> master
Counting objects: 19, done. Delta compression using up to 8 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (10/10), 1.46 KiB, done. Total 10 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/idm-console-framework.git e043c5b..4d6f8c2 master -> master
Counting objects: 11, done. Delta compression using up to 8 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (6/6), 702 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin-console.git 91568bd..9ef26b8 master -> master
git patch file (adminserver master) -- additional fixes to the error messages 0001-Ticket-47467-Improve-Add-CRL-CKL-dialog-and-errors.patch
ack
Thank you for reviewing the patch, Rich!
https://fedorahosted.org/389/attachment/ticket/47467/0001-Ticket-47467-Improve-Add-CRL-CKL-dialog-and-errors.patch
Pushed to master: a22fbf9..1bece0e master -> master commit 1bece0e524811a0da8aae5a27c3c130a7e452a4e
Metadata Update from @nkinder: - Issue assigned to nkinder - Issue set to the milestone: 389-admin,console 1.1.35
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/804
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.