Openssl tests rely on expired certificate

Bug #1068851 reported by Adam Young
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Guang Yee
Folsom
Fix Released
High
Gerardo Porras
keystone (Ubuntu)
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

We are seeing unit test failures. Checking the certs in

keystone/examples/ssl/certs

[ayoung@ayoung530 certs]$ openssl verify -CAfile ca.pem middleware.pem
middleware.pem: C = US, ST = CA, O = Openstack, OU = Middleware, CN = localhost, emailAddress = <email address hidden>
error 10 at 0 depth lookup:certificate has expired
OK

Revision history for this message
Adam Young (ayoung) wrote :

 under tests/signing we have a makefile for updating the certificates for the PKI tokens unit tests. We can extend that to generate the certificates for SSL as well. Probably should move the "signing" subdirectory to "pki" or something to indicate Crypto.

Joseph Heck (heckj)
Changed in keystone:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Adam Young (ayoung)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/14614

Changed in keystone:
assignee: Adam Young (ayoung) → Guang Yee (guang-yee)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/14614
Committed: http://github.com/openstack/keystone/commit/4f71ec9e5dd632b1c4586b63f89525a6161c2b57
Submitter: Jenkins
Branch: master

commit 4f71ec9e5dd632b1c4586b63f89525a6161c2b57
Author: guang-yee <email address hidden>
Date: Mon Oct 22 12:49:22 2012 -0700

    Fixed bug 1068851. Refreshed new crypto for the SSL tests.

    Change-Id: Ib37547923a9da347835a9b2c51deae6b954e1ead

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
Gerardo Porras (gerardo8a) wrote :

Guang Yee,

   Can we port this back to folsom ?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/14654

Revision history for this message
Gerardo Porras (gerardo8a) wrote :

I cherry picked your changes to folsom and submitted a review.

https://review.openstack.org/#/c/14654/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/folsom)

Reviewed: https://review.openstack.org/14654
Committed: http://github.com/openstack/keystone/commit/3cd343b2f2034f33d97cd1e866a4a7d726f77901
Submitter: Jenkins
Branch: stable/folsom

commit 3cd343b2f2034f33d97cd1e866a4a7d726f77901
Author: guang-yee <email address hidden>
Date: Mon Oct 22 12:49:22 2012 -0700

    Fixed bug 1068851. Refreshed new crypto for the SSL tests.

    Change-Id: Ib37547923a9da347835a9b2c51deae6b954e1ead
    (cherry picked from commit 4f71ec9e5dd632b1c4586b63f89525a6161c2b57)

tags: added: in-stable-folsom
Joseph Heck (heckj)
Changed in keystone:
milestone: none → grizzly-1
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in keystone (Ubuntu Quantal):
status: New → Confirmed
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Adam, or anyone else affected,

Accepted keystone into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in keystone (Ubuntu Quantal):
status: Confirmed → Fix Committed
tags: added: verification-needed
Mark McLoughlin (markmc)
tags: removed: in-stable-folsom
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keystone - 2012.2.1-0ubuntu1

---------------
keystone (2012.2.1-0ubuntu1) quantal-proposed; urgency=low

  * Ubuntu updates:
    - debian/control: Ensure keystoneclient is upgraded with keystone,
      require python-keystoneclient >= 1:0.1.3. (LP: #1073273)
    - Dropped patches, applied upsteram:
      - debian/patches/CVE-2012-5563.patch
      - debian/patches/CVE-2012-5571.patch
      - debian/patches/fix-ssl-tests-lp1068851.patch
  * Resynchronize with stable/folsom (7869c3ec) (LP: #1085255):
    - [f9d4766] token expires time incorrect for auth by one token
      (LP: #1079216)
    - [80d63c8] keystone throws error when removing user from tenant.
      (LP: #1078497)
    - [37308dd] Removing user from a tenant isn't invalidating user access to
      tenant (LP: #1064914)
    - [bec9b68] Redo part of bp/sql-identiy-pam undone by bug 968519
      (LP: #1068674)
    - [ee645e6] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [094c494] Non PKI Tokens longer than 32 characters can never be valid
      (LP: #1060389)
    - [3cd343b] Openssl tests rely on expired certificate (LP: #1068851)
    - [2f9807e] Set defaultbranch in .gitreview to stable/folsom
 -- Adam Gandelman <email address hidden> Tue, 04 Dec 2012 09:19:41 -0800

Changed in keystone (Ubuntu Quantal):
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: grizzly-1 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.