StarlingX

Block the addition of ssl_ca certificates with the same subject name

Bug #1981100 reported by Ghada Khalil
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Karla Felix

Bug Description

Brief Description
-----------------
The sysinv software currently allows the addition of multiple ssl_ca certificates with the same subject name. This results in later failure if one of these certificates is no longer valid.

This is recommended to block the addition of ssl_ca certificates with the same subject name to prevent this issue in the first place.

Severity
--------
<Minor: System/Feature is usable with minor issue>

Steps to Reproduce
------------------
- system certificate-install -m ssl_ca <ca certificate>
- system certificate-install -m ssl_ca <duplicate ca certificate>

Expected Behavior
------------------
The second cmd returns an error indicating that the certificate has the same subject name

Actual Behavior
----------------
The second cmd goes through

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
any recent load, but this is a day 1 code oversight

Last Pass
---------
Never

Timestamp/Logs
--------------
Not Required

Test Activity
-------------
Regression Testing

Workaround
----------
Avoid adding certificates with the same subject name

Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
status: New → Triaged
assignee: nobody → Karla Felix (kkarolin)
Ghada Khalil (gkhalil)
tags: added: stx.config stx.security
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/851894

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/851894
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/6130e999d56b14e56c384f69bc079c78fdb1104c
Submitter: "Zuul (22348)"
Branch: master

commit 6130e999d56b14e56c384f69bc079c78fdb1104c
Author: Karla Felix <email address hidden>
Date: Tue Aug 2 11:57:31 2022 -0300

    Block addition of ssl_ca certs with same subject

    Ansible playbook will fail in a re-run when it try to install
    the ssl_ca certificate for the second time, this change will
    prevent the fail by checking for existing ssl_ca certificates
    and deleting them before installing.

    Test Plan:

    PASS: Check re-run of the bootstrap.yml playbook multiple times.

    Closes-bug: 1981100

    Signed-off-by: Karla Felix <email address hidden>
    Change-Id: Ic87d216bc0b93af13b57faf38cedeba050e5c631

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/850060
Committed: https://opendev.org/starlingx/config/commit/7bd617b2fbbb11ac30e4037be818d1093113e5be
Submitter: "Zuul (22348)"
Branch: master

commit 7bd617b2fbbb11ac30e4037be818d1093113e5be
Author: Karla Felix <email address hidden>
Date: Fri Jul 15 14:46:20 2022 -0300

    Block ssl_ca certificates with same subject

    Block the addition of ssl_ca certificates with same subject name

    Test Plan:

    PASS: Attempted to install another certificate with same subject, and
          verified that it fails with an error.
    PASS: Generate and install a full iso and verified that columns subject
          and hash_subject were added to certificate table.
    PASS: Verified that when there is a subject name clash the command
          system certificate-install returns an error and the certificate
          that has the same subject
    PASS: Verified that the system shows an error when the subject field is
          emtpy for ssl_ca
    PASS: Verified that a new column subject shows up for command
          system certificate-list
    PASS: Verified that a new column subject shows up as a return to
          a successful system certificate-install command

    Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/851894
    Closes-bug: 1981100
    Signed-off-by: Karla Felix <email address hidden>
    Change-Id: I7ce11cc5dab6f686d360d01594ba100d07d2c2db

Ghada Khalil (gkhalil)
tags: added: stx.8.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.