cannot retrieve certificate payload with snakeoil plugin

Bug #1479439 reported by Brianna Poulos on 2015-07-29
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-barbicanclient
Confirmed
Undecided
Unassigned

Bug Description

I am unable to retrieve a certificate payload. I have snakeoil configured as the certificate backend. Use the following steps to reproduce the error:

1. Enabled snakeoil_ca for the certificate plugin
#[snakeoil_ca_plugin]
#ca_cert_path = /etc/barbican/snakeoil-ca.crt
#ca_cert_key_path = /etc/barbican/snakeoil-ca.key

To:
[snakeoil_ca_plugin]
ca_cert_path = /etc/barbican/snakeoil-ca.crt
ca_cert_key_path = /etc/barbican/snakeoil-ca.key

Change:
[certificate]
namespace = barbican.certificate.plugin
enabled_certificate_plugins = simple_certificate

To:
[certificate]
namespace = barbican.certificate.plugin
enabled_certificate_plugins = snakeoil_ca

2. Restarted barbican

3. Create asymmetric keypair
$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from keystoneclient.auth import identity
>>> from keystoneclient import session
>>> from barbicanclient import client
>>>
>>> auth = identity.v3.Password(auth_url='http://localhost:5000/v3',
... username='admin',
... user_domain_name='Default',
... password='THEADMINPASSWORD',
... project_name='demo',
... project_domain_name='Default')
>>> sess = session.Session(auth=auth)
>>> barbican = client.Client(session=sess)
>>>
>>> my_asym_order = barbican.orders.create_asymmetric(algorithm='rsa', payload_content_type='application/octet-stream', bit_length=1024)
>>> my_asym_ref = my_asym_order.submit()
>>> retrieved_asym = barbican.orders.get(my_asym_ref)
>>> retrieved_contain = barbican.containers.get(retrieved_asym.container_ref)
>>> retrieved_contain.public_key
Secret(secret_ref="http://localhost:9311/v1/secrets/4216e17f-f0df-4621-b5bb-a99db67b9cbd")
>>> retrieved_contain.private_key
Secret(secret_ref="http://localhost:9311/v1/secrets/f9ed533f-e351-4131-8777-03e29fd96032")
>>> retrieved_asym.container_ref
u'http://localhost:9311/v1/containers/7a59ab73-44e3-49e5-8030-97ed7aa75a2d'
>>>

4. Create the certificate
~/devstack$ source openrc admin
~/devstack$ barbican order create --name test_snakeoil --type certificate --request-type stored-key --source-container-ref "http://localhost:9311/v1/containers/7a59ab73-44e3-49e5-8030-97ed7aa75a2d" --subject-dn "cn=server1, o=example.com"

5. Note the certificate information
~/devstack$ barbican order list
Starting new HTTP connection (1): 10.109.24.227
Starting new HTTP connection (1): 10.109.24.227
Resetting dropped connection: 10.109.24.227
+----------------------------------------------------------------------+-------------+--------------------------------------------------------------------------+-------------+---------------------------+--------+------------+---------------+
| Order href | Type | Container href | Secret href | Created | Status | Error code | Error message |
+----------------------------------------------------------------------+-------------+--------------------------------------------------------------------------+-------------+---------------------------+--------+------------+---------------+
| http://localhost:9311/v1/orders/1d649e1b-efed-42ea-ba3a-235c6f6fa32e | Asymmetric | http://localhost:9311/v1/containers/7a59ab73-44e3-49e5-8030-97ed7aa75a2d | N/A | 2015-07-29 16:18:49+00:00 | ACTIVE | None | None |
| http://localhost:9311/v1/orders/114571a8-9862-44ae-90c6-65a70edea0fb | Certificate | http://localhost:9311/v1/containers/f610e540-d917-4738-8e49-e146bcccfd4e | N/A | 2015-07-29 16:20:52+00:00 | ACTIVE | None | None |
+----------------------------------------------------------------------+-------------+--------------------------------------------------------------------------+-------------+---------------------------+--------+------------+---------------+
~/devstack$

6. Try to retrieve certificate payload

>>>
>>> retrieved_cert_container = barbican.containers.get(u'http://localhost:9311/v1/containers/f610e540-d917-4738-8e49-e146bcccfd4e')
>>> retrieved_cert_container.certificate.payload
No handlers could be found for logger "barbicanclient.client"
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 188, in payload
    self._fetch_payload()
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 259, in _fetch_payload
    payload = self._api._get_raw(payload_url, headers=headers)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 79, in _get_raw
    return self.request(path, 'GET', *args, **kwargs).content
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 63, in request
    self._check_status_code(resp)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 103, in _check_status_code
    status
barbicanclient.exceptions.HTTPClientError: Not Acceptable
>>>

7. Look at barbican-svc logs:

2015-07-29 12:30:27.884 ERROR pecan.core [req-8c70192a-2644-442c-8003-478467e2de5c 5b3512da16654b37bcb82955ac4834af 53be34bff96340aca2823102fa893082] Controller 'handler' defined does not support content_type 'None'. Supported type(s): ['image/x-coreldraw', 'application/x-chess-pgn', 'application/cu-seeme', ... ,'application/x-gtar-compressed', 'video/gl']
2015-07-29 12:30:27.888 INFO barbican.api.middleware.context [req-8c70192a-2644-442c-8003-478467e2de5c 5b3512da16654b37bcb82955ac4834af 53be34bff96340aca2823102fa893082] Processed request: 406 Not Acceptable - GET http://localhost:9311/v1/secrets/c7c7dd53-fcc8-4702-9ca6-445d421141cd/payload

Brianna Poulos (brianna-poulos) wrote :

Note that the certificate payload can be retrieved through the CLI without any issues, so it doesn't appear to be a problem with the creation of the certificate.

From CLI:
~/devstack$ barbican secret get http://localhost:9311/v1/secrets/8ec681e6-145d-4e72-99c7-8a354af6696f --payload
Starting new HTTP connection (1): 10.109.24.227
Starting new HTTP connection (1): localhost
+---------+------------------------------------------------------------------+
| Field | Value |
+---------+------------------------------------------------------------------+
| Payload | -----BEGIN CERTIFICATE----- |
| | MIICgzCCAWsCECCYIEMsaETJsaf+z9ryNxkwDQYJKoZIhvcNAQELBQAwXDELMAkG |
| | A1UEBhMCWFgxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UE |
| | ChMFVW5zZXQxHTAbBgNVBAMTFFNuYWtlb2lsIENlcnRpZmljYXRlMB4XDTE1MDcy |
| | OTE3MzA0N1oXDTE1MDcyOTE3NDI1N1owKDEUMBIGA1UEChMLZXhhbXBsZS5jb20x |
| | EDAOBgNVBAMTB3NlcnZlcjEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMuu |
| | gzIK2zuz5p3qHfUVn5EnjlJqTsMjal+Hw1x0RLvCEgMPIYj+qHzp2SFOh5g2GUDz |
| | rk7zxXBt6K5e25W/wWVXZe5l/J/Pva0q1+jOdMXI+ozQnoA6wRYE2cO26fZLRUkW |
| | QGcnLMgfzsnuRKT2H9VTAA5ygcff/TdGrBcalhftAgMBAAEwDQYJKoZIhvcNAQEL |
| | BQADggEBAAmgO+4jwoINsts+9ynIUFSWjxBvb/89g0x2K/Of3lXd1XfiqHI3oOXl |
| | jpTfbwET7wiykc+MYIFvgDr0zQwXDRpYPk26x7HhlPuHyDSp0KMruIOzkCUbjqfu |
| | 6lttenTvqWloNrf+HSpgLuigHXta9H4GvCVvKzvgyRXt5AgRifc1OkJO7rXWMQ7V |
| | Z9z/XhIOHwyQpU1gT6P+BR460Sc8Ba7U7AT+36IXIHS9Um2ndbNM3i+Gy15/M5Aj |
| | ajAOWGB/dokHQg+kz1M9sgNzYEKkXC5ivuwSJMwvB5J+LjBkj/nSG5MsoIju+a/+ |
| | pQDNWViJBf2Edx32bUOHqnaZ4UIwzig= |
| | -----END CERTIFICATE----- |
| | |
+---------+------------------------------------------------------------------+
~/devstack$

From python:
>>> certificate = barbican.secrets.get('http://localhost:9311/v1/secrets/8ec681e6-145d-4e72-99c7-8a354af6696f')
>>> certificate
Secret(secret_ref="http://localhost:9311/v1/secrets/8ec681e6-145d-4e72-99c7-8a354af6696f")
>>> certificate.payload
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 188, in payload
    self._fetch_payload()
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 259, in _fetch_payload
    payload = self._api._get_raw(payload_url, headers=headers)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 79, in _get_raw
    return self.request(path, 'GET', *args, **kwargs).content
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 63, in request
    self._check_status_code(resp)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 103, in _check_status_code
    status
barbicanclient.exceptions.HTTPClientError: Not Acceptable
>>> certificate.payload_content_type
u'application/pkix-cert'
>>>

Brianna Poulos (brianna-poulos) wrote :
Download full text (10.7 KiB)

The payload_content type "application/pkix-cert" is not listed as a supported content type for pecan.core in the error message.

2015-07-29 16:17:47.267 ERROR pecan.core [req-3c47c4a9-cb8e-4a88-857d-adc84fb3421e 5b3512da16654b37bcb82955ac4834af 53be34bff96340aca2823102fa893082] Controller 'handler' defined does not support content_type 'None'. Supported type(s): ['image/x-coreldraw', 'application/x-chess-pgn', 'application/cu-seeme', 'application/pgp-keys', 'image/vnd.microsoft.icon', 'application/x-pkcs7-crl', 'chemical/x-ncbi-asn1-spec', 'application/x-kpresenter', 'application/sla', 'application/dsptype', 'application/vnd.smaf', 'text/x-scala', 'application/vnd.oasis.opendocument.database', 'application/vnd.ms-word.document.macroEnabled.12', 'application/vnd.sun.xml.calc.template', 'chemical/x-pdb', 'chemical/x-molconn-Z', 'application/x-doom', 'application/vnd.rim.cod', 'application/x-java-jnlp-file', 'video/x-matroska', 'application/vnd.android.package-archive', 'application/x-jam', 'chemical/x-mopac-vib', 'application/x-sql', 'application/mbox', 'text/calendar', 'application/x-cpio', 'application/vnd.ms-excel.sheet.binary.macroEnabled.12', 'chemical/x-compass', 'application/x-lyx', 'chemical/x-csml', 'application/vnd.stardivision.writer-global', 'chemical/x-cxf', 'application/x-ustar', 'application/x-shockwave-flash', 'video/dv', 'application/vnd.ms-officetheme', 'application/vnd.wap.wmlc', 'video/dl', 'application/xml', 'model/x3d+xml', 'application/x-cdlink', 'text/x-boo', 'audio/x-ms-wax', 'video/x-ms-asf', 'chemical/x-macromodel-input', 'application/x-redhat-package-manager', 'image/x-jg', 'application/x-iso9660-image', 'text/css', 'chemical/x-alchemy', 'application/x-nwc', 'video/x-ms-wvx', 'video/x-ms-wm', 'text/scriptlet', 'chemical/x-gaussian-cube', 'application/vnd.sun.xml.impress.template', 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12', 'chemical/x-chem3d', 'text/x-vcard', 'text/x-c++src', 'image/tiff', 'application/java-vm', 'application/vnd.cinderella', 'application/vnd.oasis.opendocument.text', 'application/xhtml+xml', 'model/x3d+binary', 'chemical/x-chemdraw', 'application/x-msi', 'chemical/x-mol2', 'image/x-cmu-raster', 'application/vnd.oasis.opendocument.spreadsheet', 'application/vnd.stardivision.impress', 'chemical/x-mopac-input', 'text/x-literate-haskell', 'audio/x-ms-wma', 'text/x-vcalendar', 'audio/x-mpegurl', 'chemical/x-cdx', 'application/vnd.ms-excel.addin.macroEnabled.12', 'application/x-oz-application', 'application/x-123', 'application/x-msdos-program', 'application/vnd.sun.xml.writer.template', 'image/x-epson-erf', 'application/x-xcf', 'application/vnd.oasis.opendocument.graphics', 'audio/midi', 'chemical/x-cml', 'application/x-ruby', 'chemical/x-gamess-input', 'image/x-xbitmap', 'application/x-sv4cpio', 'audio/amr', 'application/x-pkcs12', 'application/vnd.ms-pki.seccat', 'video/x-ms-wmv', 'video/x-ms-wmx', 'application/annodex', 'application/java-archive', 'text/richtext', 'application/atomserv+xml', 'application/postscript', 'application/x-dvi', 'chemical/x-cache-csf', 'application/x-quicktimeplayer', 'text/cache-manifest', 'application/onenote', 'application/x-director', 'image/x-photoshop', '...

Brianna Poulos (brianna-poulos) wrote :
Download full text (4.4 KiB)

I determined that if I define the payload_content_type as 'text/plain' through python then I no longer see the error. Also, if I define the payload_content_type as 'application/pkix-cert' on the CLI, I get the same error that I was seeing from python.

From CLI:
~/devstack$ barbican secret get http://localhost:9311/v1/secrets/8ec681e6-145d-4e72-99c7-8a354af6696f --payload -f value --debug --payload_content_type application/pkix-cert
Starting new HTTP connection (1): 10.109.24.227
Starting new HTTP connection (1): localhost
4xx Client error: Not Acceptable
Not Acceptable
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 314, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
    column_names, data = self.take_action(parsed_args)
  File "/opt/stack/python-barbicanclient/barbicanclient/barbican_cli/secrets.py", line 68, in take_action
    (entity.payload,))
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 188, in payload
    self._fetch_payload()
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 259, in _fetch_payload
    payload = self._api._get_raw(payload_url, headers=headers)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 79, in _get_raw
    return self.request(path, 'GET', *args, **kwargs).content
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 63, in request
    self._check_status_code(resp)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 103, in _check_status_code
    status
HTTPClientError: Not Acceptable
Traceback (most recent call last):
  File "/usr/local/bin/barbican", line 10, in <module>
    sys.exit(main())
  File "/opt/stack/python-barbicanclient/barbicanclient/barbican.py", line 310, in main
    return barbican_app.run(argv)
  File "/opt/stack/python-barbicanclient/barbicanclient/barbican.py", line 305, in run
    return super(Barbican, self).run(argv)
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 241, in run
    result = self.run_subcommand(remainder)
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 314, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
    column_names, data = self.take_action(parsed_args)
  File "/opt/stack/python-barbicanclient/barbicanclient/barbican_cli/secrets.py", line 68, in take_action
    (entity.payload,))
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 188, in payload
    self._fetch_payload()
  File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 259, in _fetch_payload
    payload = self._api._get_raw(payload_url, headers=headers)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 79, in _get_raw
    return self.request(path, 'GET', *args, **kwargs).content
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 63, in request
    self._check_status_code(resp)
  File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 103, i...

Read more...

Kaitlin Farr (kaitlin-farr) wrote :

I am able to duplicate the reported behavior.

Changed in barbican:
status: New → Confirmed
Sergey Skripnick (eyerediskin) wrote :

Any workaround?

affects: barbican → python-barbicanclient
Kaitlin Farr (kaitlin-farr) wrote :

Sergey, in Brianna's comment from 2015-07-30, she was able to work around the issue by defining the payload_content_type as 'text/plain'

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers