Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jwcrypto 0.3.0 breaks FreeIPA #47

Closed
tiran opened this issue Aug 15, 2016 · 1 comment
Closed

jwcrypto 0.3.0 breaks FreeIPA #47

tiran opened this issue Aug 15, 2016 · 1 comment

Comments

@tiran
Copy link
Member

tiran commented Aug 15, 2016

The latest release of jwcrypto breaks FreeIPA's ipa-replica-install. ipareplica-install log on the new replica:

2016-08-15T16:28:04Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 98, in __import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 92, in fetch_key
    r.raise_for_status()
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 844, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
HTTPError: 406 Client Error: Failed to validate message: Key ID is None, should be a SPN for url: https://master.ipa.example/ipa/keys/ra/ipaCert?type=kem&va
lue=eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjpudWxsfQ.ijUrXfBZulqVjDRlpkgIWUuWnLQfXDQzo2vx1kRFd1M_EejwPAOptONv9hgVVWs1tvuUt4Ix3MIi1ZF-lB1g0
MSaHcE65gWciJlQDC5PcihRIT3YQMVaW2AnYh7RCQIpOM3Rz_GH08NCjguIk1Q4tHKq_Yqo6XjhcrxuTSdOBCA_9eAfvyj6GBH1oy_2z54ZkPd1G5ztCZh1C2BPRHRlpBxxQj4ooVvX7RWPHmq_lri2NWzU2
8_B5mybcvOKkegu-w6thsPb0Pg4AeY_rxPlD5hjBmN_S5dCMkM4IVjtLn_nZkCi9NbN_Y8hONaJ7ljeR8e2Mo0ypXxGqYRPnYt3XQ.9zYMjMvDk0QGfiPAFU5bGQ.Hjof2y5DysgzhHRK4xad26yuDJx5LBD
uWgdd79yxPtbUqRCyYZR-rfkzJqk2iTalgNbw-f3BhNqBwptBIHxYirCFzh-ndN_ooOQEeAVRfPBOS6Z5M5ALgEt8VK6_1IEYd5SsS7EF_ZT7kHniKJozBhzpGchciQ4aMoskZdNX_2BYvyDgg_pVo54hB-B
y2XOJ0kZJbHiZ_VoKDmkqvUmjvvVSemoYJw2tytC7ygze_c76O2vs-EKv8nivLlxQDuhQ65rZl89_QZR4rFhhs9A6WlakBgUszBUUS5MdRvCQPEJEIGuXZKF_nxFZkcicz_RxGB5jmJK61UuXNTQJ9SgG5HI
Z7oG5yW5-4ZX_rVun71q1ZvBNN_zmlVCl8YSx0xGxbaGINkbCH7dXOYOXLiYLurUFcAMAE7DQjiO3GFhoTSd6EFq9EpM5MKUDzRGtuqLUJqemrrzSxZQ3CBo0aLqQlkfe0LeZ9vrx2-zXv-0cxpDA-csFqNb
C5HxFzGJl4LVlF-kUe7wbBbrlHHx7qQ1m7QqhuUPbjTNsoUIsx0hCILXKHEmER6ftuG6ARJo47EAZ.r-coYU-7udAB-YdOoZWg-flLDOwlo0SCSkk6dTburJY

I added a couple of print statements to custodia on the master and ran

$ sudo -u apache curl -H 'GSS_NAME: admin' --unix /run/httpd/ipa-custodia.sock 'http://localhost/keys/ra/ipaCert?...
...
Aug 15 17:07:16 master.ipa.example custodia[11695]: <jwcrypto.jwe.JWE object at 0x7f8d49482890> {u'alg': u'RSA1_5', u'enc': u'A256CBC-HS512', u'kid': None}
Aug 15 17:07:16 master.ipa.example custodia[11695]: <jwcrypto.jws.JWS object at 0x7f8d4fe83410> {u'alg': u'RS256', u'kid': None}

kid is both None for the inner and outer object.
@simo5 simo5 mentioned this issue Aug 15, 2016
Closed
simo5 added a commit to simo5/jwcrypto that referenced this issue Aug 15, 2016
@simo5
Fix key generation
97efcac 
The new code was throwing away any additional parameter for the key (like the
'kid') when generating a new key.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fixes latchset#47
Closes latchset#48
simo5 added a commit to simo5/jwcrypto that referenced this issue Aug 16, 2016
@simo5
Fix key generation
980fb7b 
The new code was throwing away any additional parameter for the key (like the
'kid') when generating a new key.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fixes latchset#47
Closes latchset#48
simo5 added a commit to simo5/jwcrypto that referenced this issue Aug 16, 2016
@simo5
Fix key generation
42a3f8d 
The new code was throwing away any additional parameter for the key (like the
'kid') when generating a new key.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fixes latchset#47
Closes latchset#48
@simo5 simo5 closed this as completed in 9d006e4 Aug 16, 2016
simo5 added a commit that referenced this issue Aug 16, 2016
@simo5
Fix key generation
9273115 
The new code was throwing away any additional parameter for the key (like the
'kid') when generating a new key.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Fixes #47
Closes #48
@tiran
Copy link
Member Author

tiran commented Aug 19, 2016

The bug also broke Custodia and its CI. I had to force jwcrypto < 0.3 on all PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tiran