cannot retrieve certificate payload with snakeoil plugin

Bug #1479439 reported by Brianna Poulos
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-barbicanclient
Confirmed
Undecided
Unassigned

Bug Description

I am unable to retrieve a certificate payload. I have snakeoil configured as the certificate backend. Use the following steps to reproduce the error:

1. Enabled snakeoil_ca for the certificate plugin
#[snakeoil_ca_plugin]
#ca_cert_path = /etc/barbican/snakeoil-ca.crt
#ca_cert_key_path = /etc/barbican/snakeoil-ca.key

To:
[snakeoil_ca_plugin]
ca_cert_path = /etc/barbican/snakeoil-ca.crt
ca_cert_key_path = /etc/barbican/snakeoil-ca.key

Change:
[certificate]
namespace = barbican.certificate.plugin
enabled_certificate_plugins = simple_certificate

To:
[certificate]
namespace = barbican.certificate.plugin
enabled_certificate_plugins = snakeoil_ca

2. Restarted barbican

3. Create asymmetric keypair
$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from keystoneclient.auth import identity
>>> from keystoneclient import session
>>> from barbicanclient import client
>>>
>>> auth = identity.v3.Password(auth_url='http://localhost:5000/v3',
... username='admin',
... user_domain_name='Default',
... password='THEADMINPASSWORD',
... project_name='demo',
... project_domain_name='Default')
>>> sess = session.Session(auth=auth)
>>> barbican = client.Client(session=sess)
>>>
>>> my_asym_order = barbican.orders.create_asymmetric(algorithm='rsa', payload_content_type='application/octet-stream', bit_length=1024)
>>> my_asym_ref = my_asym_order.submit()
>>> retrieved_asym = barbican.orders.get(my_asym_ref)
>>> retrieved_contain = barbican.containers.get(retrieved_asym.container_ref)
>>> retrieved_contain.public_key
Secret(secret_ref="http://localhost:9311/v1/secrets/4216e17f-f0df-4621-b5bb-a99db67b9cbd")
>>> retrieved_contain.private_key
Secret(secret_ref="http://localhost:9311/v1/secrets/f9ed533f-e351-4131-8777-03e29fd96032")
>>> retrieved_asym.container_ref
u'http://localhost:9311/v1/containers/7a59ab73-44e3-49e5-8030-97ed7aa75a2d'
>>>

4. Create the certificate
~/devstack$ source openrc admin
~/devstack$ barbican order create --name test_snakeoil --type certificate --request-type stored-key --source-container-ref "http://localhost:9311/v1/containers/7a59ab73-44e3-49e5-8030-97ed7aa75a2d" --subject-dn "cn=server1, o=example.com"

5. Note the certificate information
~/devstack$ barbican order list
Starting new HTTP connection (1): 10.109.24.227
Starting new HTTP connection (1): 10.109.24.227
Resetting dropped connection: 10.109.24.227
+----------------------------------------------------------------------+-------------+--------------------------------------------------------------------------+-------------+---------------------------+--------+------------+---------------+
| Order href | Type | Container href | Secret href | Created | Status | Error code | Error message |
+----------------------------------------------------------------------+-------------+--------------------------------------------------------------------------+-------------+---------------------------+--------+------------+---------------+
| http://localhost:9311/v1/orders/1d649e1b-efed-42ea-ba3a-235c6f6fa32e | Asymmetric | http://localhost:9311/v1/containers/7a59ab73-44e3-49e5-8030-97ed7aa75a2d | N/A | 2015-07-29 16:18:49+00:00 | ACTIVE | None | None |
| http://localhost:9311/v1/orders/114571a8-9862-44ae-90c6-65a70edea0fb | Certificate | http://localhost:9311/v1/containers/f610e540-d917-4738-8e49-e146bcccfd4e | N/A | 2015-07-29 16:20:52+00:00 | ACTIVE | None | None |
+----------------------------------------------------------------------+-------------+--------------------------------------------------------------------------+-------------+---------------------------+--------+------------+---------------+
~/devstack$

6. Try to retrieve certificate payload

>>>
>>> retrieved_cert_container = barbican.containers.get(u'http://localhost:9311/v1/containers/f610e540-d917-4738-8e49-e146bcccfd4e')
>>> retrieved_cert_container.certificate.payload
No handlers could be found for logger "barbicanclient.client"
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 188, in payload
    self._fetch_payload()
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 259, in _fetch_payload
    payload = self._api._get_raw(payload_url, headers=headers)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 79, in _get_raw
    return self.request(path, 'GET', *args, **kwargs).content
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 63, in request
    self._check_status_code(resp)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 103, in _check_status_code
    status
barbicanclient.exceptions.HTTPClientError: Not Acceptable
>>>

7. Look at barbican-svc logs:

2015-07-29 12:30:27.884 ERROR pecan.core [req-8c70192a-2644-442c-8003-478467e2de5c 5b3512da16654b37bcb82955ac4834af 53be34bff96340aca2823102fa893082] Controller 'handler' defined does not support content_type 'None'. Supported type(s): ['image/x-coreldraw', 'application/x-chess-pgn', 'application/cu-seeme', ... ,'application/x-gtar-compressed', 'video/gl']
2015-07-29 12:30:27.888 INFO barbican.api.middleware.context [req-8c70192a-2644-442c-8003-478467e2de5c 5b3512da16654b37bcb82955ac4834af 53be34bff96340aca2823102fa893082] Processed request: 406 Not Acceptable - GET http://localhost:9311/v1/secrets/c7c7dd53-fcc8-4702-9ca6-445d421141cd/payload

Revision history for this message
Brianna Poulos (brianna-poulos) wrote :

Note that the certificate payload can be retrieved through the CLI without any issues, so it doesn't appear to be a problem with the creation of the certificate.

From CLI:
~/devstack$ barbican secret get http://localhost:9311/v1/secrets/8ec681e6-145d-4e72-99c7-8a354af6696f --payload
Starting new HTTP connection (1): 10.109.24.227
Starting new HTTP connection (1): localhost
+---------+------------------------------------------------------------------+
| Field | Value |
+---------+------------------------------------------------------------------+
| Payload | -----BEGIN CERTIFICATE----- |
| | MIICgzCCAWsCECCYIEMsaETJsaf+z9ryNxkwDQYJKoZIhvcNAQELBQAwXDELMAkG |
| | A1UEBhMCWFgxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UE |
| | ChMFVW5zZXQxHTAbBgNVBAMTFFNuYWtlb2lsIENlcnRpZmljYXRlMB4XDTE1MDcy |
| | OTE3MzA0N1oXDTE1MDcyOTE3NDI1N1owKDEUMBIGA1UEChMLZXhhbXBsZS5jb20x |
| | EDAOBgNVBAMTB3NlcnZlcjEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMuu |
| | gzIK2zuz5p3qHfUVn5EnjlJqTsMjal+Hw1x0RLvCEgMPIYj+qHzp2SFOh5g2GUDz |
| | rk7zxXBt6K5e25W/wWVXZe5l/J/Pva0q1+jOdMXI+ozQnoA6wRYE2cO26fZLRUkW |
| | QGcnLMgfzsnuRKT2H9VTAA5ygcff/TdGrBcalhftAgMBAAEwDQYJKoZIhvcNAQEL |
| | BQADggEBAAmgO+4jwoINsts+9ynIUFSWjxBvb/89g0x2K/Of3lXd1XfiqHI3oOXl |
| | jpTfbwET7wiykc+MYIFvgDr0zQwXDRpYPk26x7HhlPuHyDSp0KMruIOzkCUbjqfu |
| | 6lttenTvqWloNrf+HSpgLuigHXta9H4GvCVvKzvgyRXt5AgRifc1OkJO7rXWMQ7V |
| | Z9z/XhIOHwyQpU1gT6P+BR460Sc8Ba7U7AT+36IXIHS9Um2ndbNM3i+Gy15/M5Aj |
| | ajAOWGB/dokHQg+kz1M9sgNzYEKkXC5ivuwSJMwvB5J+LjBkj/nSG5MsoIju+a/+ |
| | pQDNWViJBf2Edx32bUOHqnaZ4UIwzig= |
| | -----END CERTIFICATE----- |
| | |
+---------+------------------------------------------------------------------+
~/devstack$

From python:
>>> certificate = barbican.secrets.get('http://localhost:9311/v1/secrets/8ec681e6-145d-4e72-99c7-8a354af6696f')
>>> certificate
Secret(secret_ref="http://localhost:9311/v1/secrets/8ec681e6-145d-4e72-99c7-8a354af6696f")
>>> certificate.payload
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 188, in payload
    self._fetch_payload()
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 259, in _fetch_payload
    payload = self._api._get_raw(payload_url, headers=headers)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 79, in _get_raw
    return self.request(path, 'GET', *args, **kwargs).content
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 63, in request
    self._check_status_code(resp)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 103, in _check_status_code
    status
barbicanclient.exceptions.HTTPClientError: Not Acceptable
>>> certificate.payload_content_type
u'application/pkix-cert'
>>>

Revision history for this message
Brianna Poulos (brianna-poulos) wrote :
Download full text (10.7 KiB)

The payload_content type "application/pkix-cert" is not listed as a supported content type for pecan.core in the error message.

2015-07-29 16:17:47.267 ERROR pecan.core [req-3c47c4a9-cb8e-4a88-857d-adc84fb3421e 5b3512da16654b37bcb82955ac4834af 53be34bff96340aca2823102fa893082] Controller 'handler' defined does not support content_type 'None'. Supported type(s): ['image/x-coreldraw', 'application/x-chess-pgn', 'application/cu-seeme', 'application/pgp-keys', 'image/vnd.microsoft.icon', 'application/x-pkcs7-crl', 'chemical/x-ncbi-asn1-spec', 'application/x-kpresenter', 'application/sla', 'application/dsptype', 'application/vnd.smaf', 'text/x-scala', 'application/vnd.oasis.opendocument.database', 'application/vnd.ms-word.document.macroEnabled.12', 'application/vnd.sun.xml.calc.template', 'chemical/x-pdb', 'chemical/x-molconn-Z', 'application/x-doom', 'application/vnd.rim.cod', 'application/x-java-jnlp-file', 'video/x-matroska', 'application/vnd.android.package-archive', 'application/x-jam', 'chemical/x-mopac-vib', 'application/x-sql', 'application/mbox', 'text/calendar', 'application/x-cpio', 'application/vnd.ms-excel.sheet.binary.macroEnabled.12', 'chemical/x-compass', 'application/x-lyx', 'chemical/x-csml', 'application/vnd.stardivision.writer-global', 'chemical/x-cxf', 'application/x-ustar', 'application/x-shockwave-flash', 'video/dv', 'application/vnd.ms-officetheme', 'application/vnd.wap.wmlc', 'video/dl', 'application/xml', 'model/x3d+xml', 'application/x-cdlink', 'text/x-boo', 'audio/x-ms-wax', 'video/x-ms-asf', 'chemical/x-macromodel-input', 'application/x-redhat-package-manager', 'image/x-jg', 'application/x-iso9660-image', 'text/css', 'chemical/x-alchemy', 'application/x-nwc', 'video/x-ms-wvx', 'video/x-ms-wm', 'text/scriptlet', 'chemical/x-gaussian-cube', 'application/vnd.sun.xml.impress.template', 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12', 'chemical/x-chem3d', 'text/x-vcard', 'text/x-c++src', 'image/tiff', 'application/java-vm', 'application/vnd.cinderella', 'application/vnd.oasis.opendocument.text', 'application/xhtml+xml', 'model/x3d+binary', 'chemical/x-chemdraw', 'application/x-msi', 'chemical/x-mol2', 'image/x-cmu-raster', 'application/vnd.oasis.opendocument.spreadsheet', 'application/vnd.stardivision.impress', 'chemical/x-mopac-input', 'text/x-literate-haskell', 'audio/x-ms-wma', 'text/x-vcalendar', 'audio/x-mpegurl', 'chemical/x-cdx', 'application/vnd.ms-excel.addin.macroEnabled.12', 'application/x-oz-application', 'application/x-123', 'application/x-msdos-program', 'application/vnd.sun.xml.writer.template', 'image/x-epson-erf', 'application/x-xcf', 'application/vnd.oasis.opendocument.graphics', 'audio/midi', 'chemical/x-cml', 'application/x-ruby', 'chemical/x-gamess-input', 'image/x-xbitmap', 'application/x-sv4cpio', 'audio/amr', 'application/x-pkcs12', 'application/vnd.ms-pki.seccat', 'video/x-ms-wmv', 'video/x-ms-wmx', 'application/annodex', 'application/java-archive', 'text/richtext', 'application/atomserv+xml', 'application/postscript', 'application/x-dvi', 'chemical/x-cache-csf', 'application/x-quicktimeplayer', 'text/cache-manifest', 'application/onenote', 'application/x-director', 'image/x-photoshop', '...

Revision history for this message
Brianna Poulos (brianna-poulos) wrote :
Download full text (4.4 KiB)

I determined that if I define the payload_content_type as 'text/plain' through python then I no longer see the error. Also, if I define the payload_content_type as 'application/pkix-cert' on the CLI, I get the same error that I was seeing from python.

From CLI:
~/devstack$ barbican secret get http://localhost:9311/v1/secrets/8ec681e6-145d-4e72-99c7-8a354af6696f --payload -f value --debug --payload_content_type application/pkix-cert
Starting new HTTP connection (1): 10.109.24.227
Starting new HTTP connection (1): localhost
4xx Client error: Not Acceptable
Not Acceptable
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 314, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
    column_names, data = self.take_action(parsed_args)
  File "/opt/stack/python-barbicanclient/barbicanclient/barbican_cli/secrets.py", line 68, in take_action
    (entity.payload,))
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 188, in payload
    self._fetch_payload()
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 259, in _fetch_payload
    payload = self._api._get_raw(payload_url, headers=headers)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 79, in _get_raw
    return self.request(path, 'GET', *args, **kwargs).content
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 63, in request
    self._check_status_code(resp)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 103, in _check_status_code
    status
HTTPClientError: Not Acceptable
Traceback (most recent call last):
  File "/usr/local/bin/barbican", line 10, in <module>
    sys.exit(main())
  File "/opt/stack/python-barbicanclient/barbicanclient/barbican.py", line 310, in main
    return barbican_app.run(argv)
  File "/opt/stack/python-barbicanclient/barbicanclient/barbican.py", line 305, in run
    return super(Barbican, self).run(argv)
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 241, in run
    result = self.run_subcommand(remainder)
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 314, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
    column_names, data = self.take_action(parsed_args)
  File "/opt/stack/python-barbicanclient/barbicanclient/barbican_cli/secrets.py", line 68, in take_action
    (entity.payload,))
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 188, in payload
    self._fetch_payload()
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 259, in _fetch_payload
    payload = self._api._get_raw(payload_url, headers=headers)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 79, in _get_raw
    return self.request(path, 'GET', *args, **kwargs).content
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 63, in request
    self._check_status_code(resp)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 103, i...

Read more...

Revision history for this message
Kaitlin Farr (kaitlin-farr) wrote :

I am able to duplicate the reported behavior.

Changed in barbican:
status: New → Confirmed
Revision history for this message
Sergey Skripnick (eyerediskin) wrote :

Any workaround?

affects: barbican → python-barbicanclient
Revision history for this message
Kaitlin Farr (kaitlin-farr) wrote :

Sergey, in Brianna's comment from 2015-07-30, she was able to work around the issue by defining the payload_content_type as 'text/plain'

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.