Barbican

Generate CSR Fails with PyOpenSSL Version 0.15.1

Bug #1448193 reported by Dave McCowan on 2015-04-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	Fix Released	Critical	Dave McCowan	Barbican 1.0.0 "liberty"
	Kilo	Fix Released	Critical	Douglas Mendizábal	Barbican 2015.1.0 "kilo"

Bug Description

During Generate CSR with no passphrase, the server spews the below.
The original code worked with earlier versions of PyOpenSSL.

2015-04-24 14:48:06.474 5853 ERROR barbican.tasks.resources [-] Could not perform processing for task 'Process TypeOrder'.
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources Traceback (most recent call last):
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources File "/opt/stack/new/barbican/barbican/tasks/resources.py", line 95, in process
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources result = self.handle_processing(entity, *args, **kwargs)
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources File "/opt/stack/new/barbican/barbican/tasks/resources.py", line 245, in handle_processing
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources return self.handle_order(order)
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources File "/opt/stack/new/barbican/barbican/tasks/resources.py", line 295, in handle_order
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources order, project, result_follow_on)
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources File "/opt/stack/new/barbican/barbican/tasks/certificate_resources.py", line 121, in issue_certificate_request
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources csr = _generate_csr(order_model, project_model)
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources File "/opt/stack/new/barbican/barbican/tasks/certificate_resources.py", line 328, in _generate_csr
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources passphrase
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources TypeError: Last argument must be string or callable
2015-04-24 14:48:06.474 5853 TRACE barbican.tasks.resources
2015-04-24 14:48:06.476 5853 ERROR barbican.tasks.resources [-] Suppressing exception while trying to process task 'Process TypeOrder'.
2015-04-24 14:48:06.476 5853 TRACE barbican.tasks.resources Traceback (most recent call last):
2015-04-24 14:48:06.476 5853 TRACE barbican.tasks.resources File "/opt/stack/new/barbican/barbican/tasks/resources.py", line 61, in process_and_suppress_exceptions
2015-04-24 14:48:06.476 5853 TRACE barbican.tasks.resources self.process(*args, **kwargs)
2015-04-24 14:48:06.476 5853 TRACE barbican.tasks.resources File "/opt/stack/new/barbican/barbican/tasks/resources.py", line 110, in process
2015-04-24 14:48:06.476 5853 TRACE barbican.tasks.resources raise e_orig
2015-04-24 14:48:06.476 5853 TRACE barbican.tasks.resources TypeError: Last argument must be string or callable
2015-04-24 14:48:06.476 5853 TRACE barbican.tasks.resources

Douglas Mendizábal (dougmendizabal) on 2015-04-24

Changed in barbican:
status:	New → Confirmed
importance:	Undecided → Critical
assignee:	nobody → Dave McCowan (dave-mccowan)
milestone:	none → liberty-1
no longer affects:	barbican/liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-24: Fix merged to barbican (master)

Reviewed: https://review.openstack.org/177225
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=64ff3430b5d20575cd2da4572a2541f98c7ba335
Submitter: Jenkins
Branch: master

commit 64ff3430b5d20575cd2da4572a2541f98c7ba335
Author: Dave McCowan <email address hidden>
Date: Fri Apr 24 08:50:09 2015 -0400

Fix call to load_privatekey() when passphrase is None

The original code worked, but breaks with PyOpenSSL 0.15.1,
the version currently used by the gate.

Closes-Bug: #1448193
Change-Id: Iae44f08fa6442e3463e6b552955229f3fd36fbde

Changed in barbican:
status:	Confirmed → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-24: Fix proposed to barbican (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/177366

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-27: Fix merged to barbican (stable/kilo)

Reviewed: https://review.openstack.org/177366
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=b37c35c9229dab43e3d77e5061d06f34c787bc2b
Submitter: Jenkins
Branch: stable/kilo

commit b37c35c9229dab43e3d77e5061d06f34c787bc2b
Author: Dave McCowan <email address hidden>
Date: Fri Apr 24 08:50:09 2015 -0400

Fix call to load_privatekey() when passphrase is None

The original code worked, but breaks with PyOpenSSL 0.15.1,
the version currently used by the gate.

Closes-Bug: #1448193
Change-Id: Iae44f08fa6442e3463e6b552955229f3fd36fbde

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-01: Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/179301

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to barbican (master)

Download full text (3.2 KiB)

Reviewed: https://review.openstack.org/179301
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=80af5cbd25f49e0f96b10604978712643213d427
Submitter: Jenkins
Branch: master

commit e6f05febbe18a86e4e6b05acc5f4868fa3beb291
Author: Nathan Reller <email address hidden>
Date: Tue Apr 28 08:54:25 2015 -0400

Fixed Bug for KMIP Secret Storage

    The KMIP secret store was incorrectly storing secrets. In some cases
    this resulted in extra information being stored with the keys and in
    other cases the key storage would fail with a 500 internal server
    error.

This patch fixes the KMIP secret store to correctly store secrets.

    Change-Id: I94944a05776d366bd33d46ddb25f7129425405d0
    Co-authored-by: Kaitlin Farr <email address hidden>
    Closes-Bug: #1449234
    (cherry picked from commit 597869880f186ce951809fe85d5d7d0610f35c4f)

commit 604c402be0e50aaa305154dc1c39fda08b7566d9
Author: Arun Kant <email address hidden>
Date: Fri Apr 24 09:19:25 2015 -0700

Fix for missing id check in ACL count query.

Fixing issue and adding unit test to cover this API specifically.
It may need to be backported to Kilo as well.

Closes-Bug: #1447868

Change-Id: I1d6cc4ea59ea767d08112b148fb6b085bb2c4859

commit 46184bb4b3a81e503a9e4aff4ba9ea0a66061a16
Author: Charles Neill <email address hidden>
Date: Tue Apr 21 15:49:20 2015 -0500

Removing signing_dir directive from config

    The signing_dir directive defined in barbican-api-paste.ini explicitly
    stores Keystone's signing certificates in a known /tmp directory. This
    could be exploited by populating the directory with bogus certificates,
    potentially allowing a malicious user to generate valid tokens.

Added comment explaining signing_dir, and a reasonable
(commented) default.

Change-Id: I15fda6863e888e3881694ab47a836eee2fb578ee
Closes-Bug: #1446406

commit 4861932b51e491d217276f07f52e116179dc0d15
Author: Dave McCowan <email address hidden>
Date: Tue Apr 21 17:59:41 2015 -0400

Fix failure with get on dict that was None

    When calling get_acl_dict_for_user() in the RBAC feature, the user list
    may be empty. In this case, make sure an empty list (not None) is
    returned so the receiving code won't fail.

Change-Id: I6aeb94e03aa7898823ec408807180f7eeb2d2916
Closes-bug: #1446826

commit b37c35c9229dab43e3d77e5061d06f34c787bc2b
Author: Dave McCowan <email address hidden>
Date: Fri Apr 24 08:50:09 2015 -0400

Fix call to load_privatekey() when passphrase is None

The original code worked, but breaks with PyOpenSSL 0.15.1,
the version currently used by the gate.

Closes-Bug: #1448193
Change-Id: Iae44f08fa6442e3463e6b552955229f3fd36fbde

commit 93718aaa70d3f4523e636bfa6d602470e0d26b26
Author: OpenStack Proposal Bot <email address hidden>
Date: Mon Apr 20 17:54:00 2015 +0000

Updated from global requirements

Change-Id: Ife99d56a70c0ebd10a9ea47b06f969cd1e74b984

commit bb1cf4d54b2b7e95dd3f37d4c3f0cd1b0045ce7b
Author: Thierry Carrez <email address hidden>
Date: Mon Apr 20 18:26:05 2015 +0200
...

Reviewed:  https://review.openstack.org/179301
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=80af5cbd25f49e0f96b10604978712643213d427
Submitter: Jenkins
Branch:    master

commit e6f05febbe18a86e4e6b05acc5f4868fa3beb291
Author: Nathan Reller <Nathan.Reller@jhuapl.edu>
Date:   Tue Apr 28 08:54:25 2015 -0400

Fixed Bug for KMIP Secret Storage
    
    The KMIP secret store was incorrectly storing secrets. In some cases
    this resulted in extra information being stored with the keys and in
    other cases the key storage would fail with a 500 internal server
    error.
    
    This patch fixes the KMIP secret store to correctly store secrets.
    
    Change-Id: I94944a05776d366bd33d46ddb25f7129425405d0
    Co-authored-by: Kaitlin Farr <Kaitlin.Farr@jhuapl.edu>
    Closes-Bug: #1449234
    (cherry picked from commit 597869880f186ce951809fe85d5d7d0610f35c4f)

commit 604c402be0e50aaa305154dc1c39fda08b7566d9
Author: Arun Kant <arun.kant@hp.com>
Date:   Fri Apr 24 09:19:25 2015 -0700

Fix for missing id check in ACL count query.
    
    Fixing issue and adding unit test to cover this API specifically.
    It may need to be backported to Kilo as well.
    
    Closes-Bug: #1447868
    
    Change-Id: I1d6cc4ea59ea767d08112b148fb6b085bb2c4859

commit 46184bb4b3a81e503a9e4aff4ba9ea0a66061a16
Author: Charles Neill <charles.neill@rackspace.com>
Date:   Tue Apr 21 15:49:20 2015 -0500

Removing signing_dir directive from config
    
    The signing_dir directive defined in barbican-api-paste.ini explicitly
    stores Keystone's signing certificates in a known /tmp directory. This
    could be exploited by populating the directory with bogus certificates,
    potentially allowing a malicious user to generate valid tokens.
    
    Added comment explaining signing_dir, and a reasonable
    (commented) default.
    
    Change-Id: I15fda6863e888e3881694ab47a836eee2fb578ee
    Closes-Bug: #1446406

commit 4861932b51e491d217276f07f52e116179dc0d15
Author: Dave McCowan <dmccowan@cisco.com>
Date:   Tue Apr 21 17:59:41 2015 -0400

Fix failure with get on dict that was None
    
    When calling get_acl_dict_for_user() in the RBAC feature, the user list
    may be empty.  In this case, make sure an empty list (not None) is
    returned so the receiving code won't fail.
    
    Change-Id: I6aeb94e03aa7898823ec408807180f7eeb2d2916
    Closes-bug: #1446826

commit b37c35c9229dab43e3d77e5061d06f34c787bc2b
Author: Dave McCowan <dmccowan@cisco.com>
Date:   Fri Apr 24 08:50:09 2015 -0400

Fix call to load_privatekey() when passphrase is None
    
    The original code worked, but breaks with PyOpenSSL 0.15.1,
    the version currently used by the gate.
    
    Closes-Bug: #1448193
    Change-Id: Iae44f08fa6442e3463e6b552955229f3fd36fbde

commit 93718aaa70d3f4523e636bfa6d602470e0d26b26
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Mon Apr 20 17:54:00 2015 +0000

Updated from global requirements
    
    Change-Id: Ife99d56a70c0ebd10a9ea47b06f969cd1e74b984

commit bb1cf4d54b2b7e95dd3f37d4c3f0cd1b0045ce7b
Author: Thierry Carrez <thierry@openstack.org>
Date:   Mon Apr 20 18:26:05 2015 +0200

Update .gitreview to match stable/kilo
    
    Change-Id: I6d6a396924b338fe7cca3fc381feda8752491f56

Doug Hellmann (doug-hellmann) on 2015-06-24

Changed in barbican:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in barbican:
milestone:	liberty-1 → 1.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.