VERSION: 4.2.90.201507201402GIT37b1af9, API_VERSION: 2.146
-sh-4.3$ openssl genrsa -out mykey.pem 2048; openssl rsa -in mykey.pem -pubout >mykey.pub; ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem Generating RSA private key, 2048 bit long modulus .............................+++ ...........+++ e is 65537 (0x10001) writing RSA key ipa: WARNING: session memcached servers not running ipa: ERROR: non-public: ValueError: Could not unserialize key data. Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 129, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 643, in forward self.api.Command.vault_archive(*args, **opts) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 977, in forward encryption_key, public_key=public_key) File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 474, in encrypt backend=default_backend() File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/serialization.py", line 24, in load_pem_public_key return backend.load_pem_public_key(data) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 285, in load_pem_public_key return b.load_pem_public_key(data) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 719, in load_pem_public_key self._handle_key_loading_error() File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 937, in _handle_key_loading_error raise ValueError("Could not unserialize key data.") ValueError: Could not unserialize key data. ipa: ERROR: an internal error has occurred -sh-4.3$ ls -la total 40 drwxr-xr-x. 4 testuser testuser 4096 Jul 20 11:20 . drwxr-xr-x. 3 root root 4096 Jul 16 15:42 .. -rw-------. 1 testuser testuser 2628 Jul 17 19:30 .bash_history drwxr-xr-x. 20 testuser testuser 4096 Jul 17 11:59 freeipa drwxrwxr-x. 4 testuser testuser 4096 Jul 17 10:40 .ipa -rw-rw-r--. 1 testuser testuser 1679 Jul 20 11:20 mykey.pem -rw-rw-r--. 1 testuser testuser 451 Jul 20 11:20 mykey.pub -rw-rw-r--. 1 testuser testuser 11 Jul 20 11:13 password.txt -rw-------. 1 testuser testuser 1024 Jul 20 11:20 .rnd -rw-------. 1 testuser testuser 3144 Jul 17 18:56 .viminfo -sh-4.3$ ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem ipa: WARNING: session memcached servers not running ipa: ERROR: vault with name "AsymmetricVault" already exists -sh-4.3$ ipa vault-find ipa: WARNING: session memcached servers not running ---------------- 4 vaults matched ---------------- Vault name: AsymmetricVault Description: Asymmetric vault Type: asymmetric Vault name: PrivateVault Description: Private vault Type: standard Vault name: SymmetricVault Description: Symmetric vault Type: symmetric Vault name: SymmetricVault2 Description: Symmetric vault 2 Type: symmetric ---------------------------- Number of entries returned 4 ----------------------------
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1245224
Patch 019 adds validation of public keys. The ipa vault commands now load the public keys in order to verify them. The validation also prevents a user from accidentally sending her private keys to the server. The patch fixes #5142 and #5142.
$ ./ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data.
patch for ticket #5142 fixed the root cause so that it's unlikely that this issue will happen.
Metadata Update from @alich: - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.