Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 658641 - pkisilent doesn't not properly handle passwords with special characters
Summary: pkisilent doesn't not properly handle passwords with special characters
Keywords:
Status: CLOSED EOL
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Installation Wizard
Version: 1.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: dogtagIPAv2
TreeView+ depends on / blocked
 
Reported: 2010-11-30 21:36 UTC by Rob Crittenden
Modified: 2020-03-27 18:40 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-03-27 18:40:31 UTC
Embargoed:

Attachments (Terms of Use)

Description Rob Crittenden 2010-11-30 21:36:04 UTC 
Description of problem:

Installing dogtag from IPA server using the password (pas&w`rd)

The pkisilent invocation is:

/usr/bin/pkisilent ConfigureCA -cs_hostname lion.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-DD2OtV -client_certdb_pwd '(pas&w`rd)' -preop_pin sM7N05JbzO0hYV8o4Uok -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '(pas&w`rd)' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=EXAMPLE.COM" -ldap_host lion.example.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password '(pas&w`rd)' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '(pas&w`rd)' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=EXAMPLE.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=EXAMPLE.COM" -ca_server_cert_subject_name "CN=lion.example.com,O=EXAMPLE.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=EXAMPLE.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=EXAMPLE.COM" -external false -clone false

While reviewing the logs I saw this:

<response>
  <panel>admin/console/config/importadmincertpanel.vm</panel>
  <res/>
  <showApplyButton/>
  <admin_pwd>(pas</admin_pwd>
...

Which led me to see if the password really did get cut off:

$ ldapsearch -LLL -x -D 'uid=admin,ou=people,o=ipaca' -w '(pas&w`rd)' -h localhost -p 7389 -b o=ipaca uid=admin uid
ldap_bind: Invalid credentials (49)

and with a truncated password:

$ ldapsearch -LLL -x -D 'uid=admin,ou=people,o=ipaca' -w '(pas' -h localhost -p 7389 -b o=ipaca uid=admin uid
dn: uid=admin,ou=people,o=ipaca
uid: admin

Version-Release number of selected component (if applicable):

pki-silent-1.3.4-1.fc12.noarch
pki-ca-1.3.6-1.fc12.noarch
Comment 3 Ade Lee 2011-01-11 21:07:19 UTC 
patch is included in the patch for https://bugzilla.redhat.com/show_bug.cgi?id=645895
Comment 4 Ade Lee 2011-01-12 16:07:54 UTC 
8.1:

-bash-3.2$ svn ci -m "Bugzilla BZ645895 and 658641: ECC curves and passwords
with special chars"
Sending        silent/src/ca/ConfigureCA.java
Sending        silent/src/drm/ConfigureDRM.java
Sending        silent/src/ocsp/ConfigureOCSP.java
Sending        silent/src/ra/ConfigureRA.java
Sending        silent/src/subca/ConfigureSubCA.java
Sending        silent/src/tks/ConfigureTKS.java
Sending        silent/src/tps/ConfigureTPS.java
Transmitting file data .......
Committed revision 1725.

tip:

[vakwetu@dhcp231-121 silent]$ svn ci -m "Bugzilla BZ645895 and 658641: ECC
curves and passwords with special chars"
Sending        silent/src/ca/ConfigureCA.java
Sending        silent/src/drm/ConfigureDRM.java
Sending        silent/src/ocsp/ConfigureOCSP.java
Sending        silent/src/ra/ConfigureRA.java
Sending        silent/src/subca/ConfigureSubCA.java
Sending        silent/src/tks/ConfigureTKS.java
Sending        silent/src/tps/ConfigureTPS.java
Transmitting file data .......
Committed revision 1726.
Note You need to log in before you can comment on or make changes to this bug.