#5143 Asymetric vault is still created after traceback
Closed: Invalid None Opened 8 years ago by alich.

VERSION: 4.2.90.201507201402GIT37b1af9, API_VERSION: 2.146

-sh-4.3$ openssl genrsa -out mykey.pem 2048; openssl rsa -in mykey.pem -pubout >mykey.pub; ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem
Generating RSA private key, 2048 bit long modulus
.............................+++
...........+++
e is 65537 (0x10001)
writing RSA key
ipa: WARNING: session memcached servers not running
ipa: ERROR: non-public: ValueError: Could not unserialize key data.
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 129, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 643, in forward
    self.api.Command.vault_archive(*args, **opts)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 977, in forward
    encryption_key, public_key=public_key)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 474, in encrypt
    backend=default_backend()
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/serialization.py", line 24, in load_pem_public_key
    return backend.load_pem_public_key(data)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 285, in load_pem_public_key
    return b.load_pem_public_key(data)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 719, in load_pem_public_key
    self._handle_key_loading_error()
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 937, in _handle_key_loading_error
    raise ValueError("Could not unserialize key data.")
ValueError: Could not unserialize key data.
ipa: ERROR: an internal error has occurred
-sh-4.3$ ls -la
total 40
drwxr-xr-x.  4 testuser testuser 4096 Jul 20 11:20 .
drwxr-xr-x.  3 root     root     4096 Jul 16 15:42 ..
-rw-------.  1 testuser testuser 2628 Jul 17 19:30 .bash_history
drwxr-xr-x. 20 testuser testuser 4096 Jul 17 11:59 freeipa
drwxrwxr-x.  4 testuser testuser 4096 Jul 17 10:40 .ipa
-rw-rw-r--.  1 testuser testuser 1679 Jul 20 11:20 mykey.pem
-rw-rw-r--.  1 testuser testuser  451 Jul 20 11:20 mykey.pub
-rw-rw-r--.  1 testuser testuser   11 Jul 20 11:13 password.txt
-rw-------.  1 testuser testuser 1024 Jul 20 11:20 .rnd
-rw-------.  1 testuser testuser 3144 Jul 17 18:56 .viminfo
-sh-4.3$ ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem
ipa: WARNING: session memcached servers not running
ipa: ERROR: vault with name "AsymmetricVault" already exists
-sh-4.3$ ipa vault-find
ipa: WARNING: session memcached servers not running
----------------
4 vaults matched
----------------
  Vault name: AsymmetricVault
  Description: Asymmetric vault
  Type: asymmetric

  Vault name: PrivateVault
  Description: Private vault
  Type: standard

  Vault name: SymmetricVault
  Description: Symmetric vault
  Type: symmetric

  Vault name: SymmetricVault2
  Description: Symmetric vault 2
  Type: symmetric
----------------------------
Number of entries returned 4
----------------------------

Patch 019 adds validation of public keys. The ipa vault commands now load the public keys in order to verify them. The validation also prevents a user from accidentally sending her private keys to the server. The patch fixes #5142 and #5142.

$ ./ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem
ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data.

patch for ticket #5142 fixed the root cause so that it's unlikely that this issue will happen.

Metadata Update from @alich:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Login to comment on this ticket.

Metadata