Project

Profile

Help

Issue #2733

Updated by daviddavis about 5 years ago

Currently our oid validation tests are failing on F25 after python-rhsm was updated to 1.19.4. See: 

 https://github.com/candlepin/subscription-manager/pull/1606 

 Talking with candlepin though, our test certs are bad. Due to their format, they are parsed as identity certs (which are used for authentication) when they should be entitlement certs since we're checking that paths are authorized [1]. 

 Here's the conversation with @kahowell about what we need to do: 

 <pre> 
 2017-04-26 15:55:37       kahowell          bmbouter, daviddavis, so for sake of determining when python-rhsm behavior changed and broke that test, i have done the following so far: went back to python-rhsm-1.19.0-1 and used certificate.create_from_pem... it *still* shows as a IdentityCertificate... 
 2017-04-26 15:56:46       daviddavis        kahowell: so I am totally new to this code... is that bad that the cert is an identify cert? 
 2017-04-26 15:56:58       daviddavis        not sure I understand the differences between identify, product, etc 
 2017-04-26 15:57:05       kahowell          bmbouter, daviddavis, also as far back as python-1.17.1... 
 2017-04-26 15:57:51       kahowell          daviddavis, basically, identity is just a cert used as auth to candlepin. entitlement certs are used for actual access (cdn, etc.) 
 2017-04-26 15:59:21       daviddavis        kahowell: so it looks like the test is trying to check the cert against the path (https://git.io/v933k) I'm guessing we should be using an entitlement cert? 
 2017-04-26 16:00:15       kahowell          daviddavis, yeah, and from python-rhsm's point of view, e_limited.crt is not one. 
 2017-04-26 16:00:25       daviddavis        I see 
 2017-04-26 16:01:30       daviddavis        kahowell: going to look into this more tomorrow. thanks for your help 
 2017-04-26 16:04:59       kahowell          daviddavis, i dug just a little bit more, and i think this file: https://github.com/pulp/pulp/blob/43cebf96a6af938e5688329d74959e0ca268bdf4/oid_validation/test/data/pulp_ssl.cnf https://github.com/pulp/pulp/blob/43cebf96a6af938e5688329d74959e0ca268bdf4/oid_validation/test/data/pulp 
 _ssl.cnf could probably use some additional extensions defined. specifically either 1.3.6.1.4.1.2312.9.6 set to UTF8 "3.2" or similar or 1.3.6.1.4.1.2312.9.4.1 set to something. extensions are defined here: https://github.com/candlepin/subscription-manager/blob/master/python-rhsm/src/rhsm/certificate2.py#L35 
 </pre> 

 [1] https://github.com/pulp/pulp/blob/678228549d231246e5e94efbbfe2b0ee18fb852e/oid_validation/test/test_oid_validation.py#L298-L304

Back