Regression in external CA installation when custom CSR extension specified

[pki-bot]

This issue was migrated from Pagure Issue #2825. Originally filed by ftweedal (@frasertweedale) on 2017-09-29 00:43:22:

• Closed at 2017-10-02 21:39:29 as fixed
• Assigned to ftweedal (@frasertweedale)

---

A regression was introduced in CSR generation for external CA installation,
when custom CSR extension is specified (e.g. by IPA, adding MS AD-CS template extension).

Log output:

2017-09-29 11:29:33 pkispawn    : INFO     ....... generating ca_signing CSR in /root/ipa.csr
2017-09-29 11:29:33 pkispawn    : DEBUG    ....... Error Type: TypeError
2017-09-29 11:29:33 pkispawn    : DEBUG    ....... Error Message: list indices must be integers, not dict
2017-09-29 11:29:33 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 533, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 928, in spawn
    self.generate_system_cert_requests(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 338, in generate_system_cert_requests
    self.generate_ca_signing_csr(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 162, in generate_ca_signing_csr
    basic_constraints_ext, key_usage_ext, generic_exts
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 115, in generate_csr
    generic_exts=generic_exts)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 299, in create_request
    if extended_key_usage_ext[usage]:

The cause seems to be the addition of the extended_key_usage_ext parameter to generate_csr without a corresponding update to the call site in generate_ca_signing_csr. This call uses positional parameters and the custom extension list is passed at the position of the
new extended_key_usage_ext parameter.

The extended_key_usage_ext parameter was added in commit df1e923, but note that it was not used until commit f183cca which is where the code that actually breaks installation was added.

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2017-09-29 01:30:57

Gerrit review: https://review.gerrithub.io/#/c/380746/

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2017-09-29 01:30:58

Metadata Update from @frasertweedale:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2017-09-29 01:31:04

Metadata Update from @frasertweedale:

• Issue assigned to frasertweedale

[pki-bot]

Comment from edewata (@edewata) at 2017-09-29 19:30:34

Metadata Update from @edewata:

• Issue priority set to: blocker
• Issue set to the milestone: 10.5

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2017-10-02 21:38:57

Fixed in master (7531bd6)

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2017-10-02 21:38:57

Metadata Update from @frasertweedale:

• Issue priority set to: None (was: blocker)
• Issue set to the milestone: None (was: 10.5)

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2017-10-02 21:39:30

Metadata Update from @frasertweedale:

• Issue close_status updated to: fixed
• Issue status updated to: Closed (was: Open)

[pki-bot]

Comment from vakwetu (@vakwetu) at 2017-10-09 09:43:21

Metadata Update from @vakwetu:

• Issue priority set to: critical
• Issue set to the milestone: 10.5

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-10 13:45:43

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.5.0 (was: 10.5)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-26 20:49:58

Metadata Update from @mharmsen:

• Custom field fixedinversion adjusted to pki-core-10.5.0-1.fc27