Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check ca_wrapped in ipa-custodia-check #5112

Closed
wants to merge 2 commits into from
Closed

Check ca_wrapped in ipa-custodia-check #5112

wants to merge 2 commits into from

Conversation

tiran
Copy link
Member

@tiran tiran commented Sep 16, 2020

ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key
material. Add checks to custodia to verify that key wrapping works.

Signed-off-by: Christian Heimes cheimes@redhat.com

@tiran tiran added ipa-4-8 Mark for backport to ipa 4.8 needs review Pull Request is waiting for a review labels Sep 16, 2020
@tiran tiran added the re-run Trigger a new run of PR-CI label Sep 17, 2020
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Sep 17, 2020
@rcritten
Copy link
Contributor

Manual execution of ipa-custodia-check fails with these two keys. The others all pass.

[2020-09-18T18:41:33 ipa-custodia-tester] : Failed to retrieve key 'ca_wrapped/auditSigningCert cert-pki-ca': 404 Client Error: Not Found for url: https://replica.example.test/ipa/keys/ca_wrapped/auditSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.K_9BTNVqxhPSiUjnRSTzwNxIGJTPO0_BtkAngTojJSFzEf6ctl50J8DcRbJPOhpcqtv8G0OevHRuTw8bEqTjuZQYb9gE1RsnGLgw6_FgMCGE5W2BbtW0BDPyVGWC1xqGVE0TIyfXQak_60ZZ3LYatdkvni-ZWKWzYWFSMcMhi9jIpsafmDglt94iKSdydwlKVfHQJH5RVNTk0Ddsmnw6HXPxqcp1olidkTvbcG-Ib6XRKaAwFVkaSVCcnfnr7zGVdUa5ty51c74hQ4P1EPh3OXg1kZbNEj-8FfQpPuuGfv2cB4nW2PWTKk7KU5QLx3o19pqWNMepqO2AppO4ZmMrzA.32gWTP5ku61mT_UeGyk_Xg.r79IoT3cNekGe3xCe8xLqvmclaNWUjk-X0p4duw6-q4ZcH1RcIf9cDqHey5_sKNBPXsPatXONxZWE2gHLIXPp8bw1bkvFWhqUhL659_HrMv0YYjmyXyNdFoVn3d3I4FkpgkZCn_7vH-PtIOJWBfBEaawCl6hCpi9vmI7vxg0Mb75W3fXc1Ndl1ByDV3YSVJNw8EFbjdJd_zpdewYGgjCSl6gDs_Ad1N_0lXHu2c-8ms-BpG6CdUYH5cUh3cHMzmu-CXoEyqzkCAdUgbJDMQr9ZfYNVbgzSu3Cw4kvqEJzLuFy3O5n7KaT7pAEXbeFc7ReLVeqBtGhqJDbJBJuV92Nyc2AKm26gInR-APFgi65uane42JpcWoqMtqqqpO5P40Kf-JSc8vRaXrmqhEJagbWMRl5nvtxj1XTTG2NSuD-4g8ODlt8elC830ZYRGr7xQ-EltCMb5OEKeGwFPQJNz0f6m_-mWLUM9VJcrhq2Wx5q1f1aJJTrtYJTdCMuoZ06wo0IRFTJNTEo04XBvr7kJtUzuBm7NNVpGVnsOwX-WYC1Ic8F0rViKYMix6hSNen64xNJpoLfX1EfA54reQJfMkvJb0tU8upp-tIDkwLb0-UDQyCxDg18zx226TU1zPMnQuuCvMb2TVqxK7CWo7Xu7iwwqY69om5mGwxFHmPMZnUD25Dm3HCSLwFhRX1SS6AKfd.nK3269aR2pcOURcT6F1CuseqGL6UC9bDVr2GSgvOWDs.
[2020-09-18T18:41:33 ipa-custodia-tester] : Failed to retrieve key 'ca_wrapped/auditSigningCert cert-pki-ca/1.2.840.113549.3.7': 404 Client Error: Not Found for url: https://replica.example.test/ipa/keys/ca_wrapped/auditSigningCert%20cert-pki-ca/1.2.840.113549.3.7?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.wFmIJz9LEvz37SsdqV6QVM5Ejr3Psk6zWcLOkNzsglREn4E1SJc2IBfFjbWxL7AjNdVw9EF1jtJSxoHGvEFY2L7aJUY-s0oN9pOi8UMqom2L3UFYVMlQXjAOTXGgM_zKYQhYEL5_N88R-vShJZpuM0CR-AGHssLT_Ug133qzpgugFYiFouXiDCJsBimz-N1vxttSq5bymxs2AwkrnxvF63l20aZvkp39tAw0O-WpJt5_1F3CNm1lDUGDF4mUmfajO5U8mOlER39zetgEsWdVWMACZmWnPXeV6VVL48aQdHROuykf0RoCt-5EpPKA95UPbhHiTEArmZi_pk2HyLuqgw.ss9UNKzw0DgJcxIcAdvjfg.CHuQik9Ac71LQeW9xZWk3Z5DslROY1qFmv44UtOV5Vt5gZdLzYe4uvMts9rV-WX6Syut6RYWGA4MZE97SGRz4htsKbgg3-7MZejXQs3I_VInS39sY_JPDyn8ZKfU5nBw1V1UqMLbEw2CwDePPU0aeQUZJIYJS4lZJNX3WKUG5vr489E2hrZ-xDgdfwho8du4tAS4PuBBpMq9XtTrNvMdl24ONLkgul_r2qB3MWLSseqEH59GA7Dgzm33WLXydL9LXnrfUdM7RGE37s0FpM0v25Y6ZGMrv6Pa0hx1ySJ5ny3zOaFRYcMB2oafkQMJpvQeZgpGIE43OMKNBrSw3AacutSxZAavMjkMt1SNZZxoWpPC52iPSG4_a8yOHLOVwIlBi4dnAQzzQZLArmgsU7outvf1qsmO5orY3PgfpGeWFQkrfdmEoa0WnmjrIpjiZ90AodINAS9ybi8A7pzMkDRRRSa1ImbqlVTV0YkBw4pMSshwTNSFmc8QxUhYmscgM8ovkObz0nGkOYnvlDd7Ftc86BzR7YUIzobAiXZ0f7hXxSv0byyuYOH598zJfcpb9DQ0NKofh2b2NdeG1vv48SNeoRvPWLKb5h-3ErSsF1yur1Ec2n0lb1qf7081ZWjUtvI2G6Cs1BGL0VFy01DpLu3kb7WjSxZKXqCiP6Dvk1LfxE5C4ZWOqk3fbW4a7B5E5DPj_B53MWED-Jjnym7u4BUDfg.T7oeXw11DWJPcfx3JL7I0FsSqrV5OkHIpeD8fdFPEBE.
[ERROR] One or more tests have failed.

@tiran
Copy link
Member Author

tiran commented Sep 19, 2020

SELinux is blocking the operation. PR #5109 will fix the issue.

@fcami how about you add this changeset to your PR and include a test to run the checker on master and with master as hostname? It's a simple reproducer for the SELinux AVC.

@fcami
Copy link
Contributor

fcami commented Sep 21, 2020

@tiran I'm afraid I'll have to postpone writing a test until after #5109 is merged.

@tiran
Copy link
Member Author

tiran commented Sep 21, 2020

@tiran I'm afraid I'll have to postpone writing a test until after #5109 is merged.

Understood! I have added additional tests. The tests should trigger AVCs until the #5109 is merged.

@freeipa-pr-ci freeipa-pr-ci added the needs rebase Pull Request cannot be automatically merged - needs to be rebased label Sep 21, 2020
@tiran tiran force-pushed the custodia_check_wrapped branch 2 times, most recently from 7efd035 to e4bd3ec Compare September 22, 2020 16:18
@tiran tiran removed the needs rebase Pull Request cannot be automatically merged - needs to be rebased label Sep 22, 2020
@tiran tiran added the re-run Trigger a new run of PR-CI label Sep 23, 2020
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Sep 23, 2020
@tiran tiran force-pushed the custodia_check_wrapped branch 3 times, most recently from 742a61a to 3e97a73 Compare September 23, 2020 20:23
@tiran tiran added the re-run Trigger a new run of PR-CI label Sep 24, 2020
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Sep 24, 2020
@tiran
Copy link
Member Author

tiran commented Sep 24, 2020

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@rcritten
Copy link
Contributor

ipa-custodia-check is working for me locally again in enforcing mode. All certs were successfully checked.

@rcritten rcritten removed the needs review Pull Request is waiting for a review label Oct 2, 2020
@rcritten
Copy link
Contributor

rcritten commented Oct 2, 2020

@fcami it looks ok to me, wanted to give you an opportunity to give it a second look.

@fcami
Copy link
Contributor

fcami commented Oct 2, 2020
edited

LGTM.
Could you change the 1st commit so that the test added is at the right place, and remove the resulting move in the 2nd commit? I'll ACK afterwards.

fcami
fcami requested changes Oct 2, 2020
View reviewed changes
Copy link
Contributor

@fcami fcami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test_ipa_custodia_check was moved around.

@tiran tiran added the re-run Trigger a new run of PR-CI label Oct 5, 2020
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Oct 5, 2020
@fcami fcami added the re-run Trigger a new run of PR-CI label Oct 5, 2020
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Oct 5, 2020
@tiran
Check ca_wrapped in ipa-custodia-check
1528253 
ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key
material. Add checks to custodia to verify that key wrapping works.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran
Verify freeipa-selinux's ipa module is loaded
6e62409 
ipa-custodia tests will fail if the ipa.pp override module from
freeipa-selinux is not correctly installed, loaded, and enabled.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran tiran added the re-run Trigger a new run of PR-CI label Oct 5, 2020
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Oct 5, 2020
@fcami fcami added the ack Pull Request approved, can be merged label Oct 5, 2020
@fcami
Copy link
Contributor

fcami commented Oct 5, 2020

ACK, thanks for this @tiran

@tiran tiran added the pushed Pull Request has already been pushed label Oct 5, 2020
@tiran
Copy link
Member Author

tiran commented Oct 5, 2020

master:

  • fbb6484 Check ca_wrapped in ipa-custodia-check
  • 9a9cd30 Verify freeipa-selinux's ipa module is loaded

@tiran tiran closed this Oct 5, 2020
@tiran tiran mentioned this pull request Oct 5, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fcami fcami fcami requested changes

Assignees

@fcami fcami

Labels
ack Pull Request approved, can be merged ipa-4-8 Mark for backport to ipa 4.8 pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
4 participants
@tiran @rcritten @fcami @freeipa-pr-ci