Barbican

A Couple of snakeoil CA tests fail using OpenSSL 1.0.2a

Bug #1443075 reported by Juan Antonio Osorio Robles on 2015-04-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	Fix Released	Medium	Juan Antonio Osorio Robles	Barbican 2015.1.0 "kilo"

Bug Description

While running the unit tests I'm getting the following error:

======================================================================
FAIL: barbican.tests.plugin.test_snakeoil_ca.SnakeoilCAPluginTestCase.test_issue_certificate_request_set_subject
tags: worker-3
----------------------------------------------------------------------
Empty attachments:
stderr
stdout

Traceback (most recent call last):
  File "/home/ejuaoso/development/barbican/barbican/tests/plugin/test_snakeoil_ca.py", line 168, in test_issue_certificate_request_set_subject
    order_meta, {}, {})
  File "/home/ejuaoso/development/barbican/barbican/plugin/snakeoil_ca.py", line 200, in issue_certificate_request
    csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, encoded_csr)
  File "/home/ejuaoso/development/barbican/.tox/py27/lib/python2.7/site-packages/OpenSSL/crypto.py", line 2067, in load_certificate_request
    _raise_current_error()
  File "/home/ejuaoso/development/barbican/.tox/py27/lib/python2.7/site-packages/OpenSSL/_util.py", line 22, in exception_from_error_queue
    raise exceptionType(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'c2i_ASN1_OBJECT', 'invalid object encoding'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]
======================================================================
FAIL: barbican.tests.plugin.test_snakeoil_ca.SnakeoilCAPluginTestCase.test_issue_certificate_request
tags: worker-1
----------------------------------------------------------------------
Empty attachments:
  stderr
  stdout

Traceback (most recent call last):
  File "/home/ejuaoso/development/barbican/barbican/tests/plugin/test_snakeoil_ca.py", line 150, in test_issue_certificate_request
    order_meta, {}, {})
  File "/home/ejuaoso/development/barbican/barbican/plugin/snakeoil_ca.py", line 200, in issue_certificate_request
    csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, encoded_csr)
  File "/home/ejuaoso/development/barbican/.tox/py27/lib/python2.7/site-packages/OpenSSL/crypto.py", line 2067, in load_certificate_request
    _raise_current_error()
  File "/home/ejuaoso/development/barbican/.tox/py27/lib/python2.7/site-packages/OpenSSL/_util.py", line 22, in exception_from_error_queue
    raise exceptionType(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'c2i_ASN1_OBJECT', 'invalid object encoding'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]

Which on further investigation turns it it happens due to some changes that happened in OpenSSL recently. So, what happens now is that certain OIDs from the ASN.1 structure have been removed with the aim of only being able to load valid CSRs. It can be reproduced in OpenSSL 1.0.2a by generating a CSR without either the public key or the signature.

Upon reporting the behaviour to the OpenSSL developers, I got the response that this is indeed the desired behaviour:
http://<email address hidden>/msg38623.html
http://<email address hidden>/msg38632.html

The OpenStack gate is using OpenStack 1.0.1f, so in this version loading CSRs generated without a signature actually works.

Juan Antonio Osorio Robles (juan-osorio-robles) on 2015-04-12

Changed in barbican:
assignee:	nobody → Juan Antonio Osorio Robles (juan-osorio-robles)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-12: Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/172714

Changed in barbican:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-13: Related fix proposed to barbican (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/172844

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-14: Fix merged to barbican (master)

Reviewed: https://review.openstack.org/172714
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=c27f2b75b66be2592d83f87e07d68088d3e0ee18
Submitter: Jenkins
Branch: master

commit c27f2b75b66be2592d83f87e07d68088d3e0ee18
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Sun Apr 12 16:22:45 2015 +0300

Sign CSRs issued in SnakeOilCA tests

    In OpenSSL 1.0.2a CSRs that are not signed are now considered invalid
    and will throw an error when trying to load them. This commit fixes that
    and also moves the repeated code to a single function to improve the
    tests' readability.

Change-Id: I7a60717b7f473a6f2724eed515aa094819b7f621
Closes-Bug: #1443075

Changed in barbican:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-14: Related fix merged to barbican (master)

Reviewed: https://review.openstack.org/172844
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=3885a25c13cc762efa2739428d86884ef0133334
Submitter: Jenkins
Branch: master

commit 3885a25c13cc762efa2739428d86884ef0133334
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Apr 13 12:18:40 2015 +0300

Enable alternate error message for OpenSSL 1.0.2

    Since OpenSSL will no longer handle unsigned CSRs, this fix enabled
    accepting the error message we now get from the API. While retaining
    backwards compatibility with the functionality on OpenSSL 1.0.1.

Change-Id: Icae9b6aebe7d3ec4c788185e1b11e5c8f52d4caf
Related-Bug: #1443075

Douglas Mendizábal (dougmendizabal) on 2015-04-14

Changed in barbican:
milestone:	none → kilo-rc1
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2015-04-20

Changed in barbican:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in barbican:
milestone:	kilo-rc1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.