[openstack-dev] Quantum/Keystone issue (401) seems to be due to encoding

John Griffith john.griffith at solidfire.com
Thu Nov 8 15:39:14 UTC 2012 

On Wed, Nov 7, 2012 at 2:57 PM, Yee, Guang <guang.yee at hp.com> wrote:

> The text Adam pasted****
>
> ** **
>
> -----BEGIN CMS-----****
>
> MIIBQwYJKoZIhvcNAQcCoIIBNDCCATACAQExCTAHBgUrDgMCGjAeBgkqhkiG9w0B****
>
> BwGgEQQPeyJyZXZva2VkIjogW119MYH/MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMx****
>
> DjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQx****
>
> GDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0B****
>
> AQEFAASBgIPLThGutiaKye5AYYdF3z7FGztoQsCaaqHKHVgtEHk3bM7k5ZqIsNN/****
>
> YMUKE8l87UHwto0BZ3WF6IqXzSRCKrm11bzTbKMna5I1vmSanDG/Ws6CyXQRaQeb****
>
> 1IebcfL+tPWFLN5Y6WsuSobGCGV30wll1F0qgfXCwDkEinVc35vC****
>
> -----END CMS-----****
>
> ** **
>
> yield the following****
>
> ** **
>
> openssl cms -cmsout -in /tmp/cms.txt -inform PEM -print****
>
> CMS_ContentInfo: ****
>
>   contentType: pkcs7-signedData (1.2.840.113549.1.7.2)****
>
>   d.signedData: ****
>
>     version: 1****
>
>     digestAlgorithms:****
>
>         algorithm: sha1 (1.3.14.3.2.26)****
>
>         parameter: <ABSENT>****
>
>     encapContentInfo: ****
>
>       eContentType: pkcs7-data (1.2.840.113549.1.7.1)****
>
>       eContent: ****
>
>         0000 - 7b 22 72 65 76 6f 6b 65-64 22 3a 20 5b 5d 7d   {"revoked":
> []}****
>
>     certificates:****
>
>       <EMPTY>****
>
>     crls:****
>
>       <EMPTY>****
>
>     signerInfos:****
>
>         version: 1****
>
>         d.issuerAndSerialNumber: ****
>
>           issuer: C=US, ST=Unset, L=Unset, O=Unset, CN=www.example.com****
>
>           serialNumber: 1****
>
>         digestAlgorithm: ****
>
>           algorithm: sha1 (1.3.14.3.2.26)****
>
>           parameter: <ABSENT>****
>
>         signedAttrs:****
>
>           <EMPTY>****
>
>         signatureAlgorithm: ****
>
>           algorithm: rsaEncryption (1.2.840.113549.1.1.1)****
>
>           parameter: NULL****
>
>         signature: ****
>
>           0000 - 83 cb 4e 11 ae b6 26 8a-c9 ee 40 61 87 45 df
> ..N...&... at a.E.****
>
>           000f - 3e c5 1b 3b 68 42 c0 9a-6a a1 ca 1d 58 2d 10
> >..;hB..j...X-.****
>
>           001e - 79 37 6c ce e4 e5 9a 88-b0 d3 7f 60 c5 0a 13
> y7l........`...****
>
>           002d - c9 7c ed 41 f0 b6 8d 01-67 75 85 e8 8a 97 cd
> .|.A....gu.....****
>
>           003c - 24 42 2a b9 b5 d5 bc d3-6c a3 27 6b 92 35 be
> $B*.....l.'k.5.****
>
>           004b - 64 9a 9c 31 bf 5a ce 82-c9 74 11 69 07 9b d4
> d..1.Z...t.i...****
>
>           005a - 87 9b 71 f2 fe b4 f5 85-2c de 58 e9 6b 2e 4a
> ..q.....,.X.k.J****
>
>           0069 - 86 c6 08 65 77 d3 09 65-d4 5d 2a 81 f5 c2 c0
> ...ew..e.]*....****
>
>           0078 - 39 04 8a 75 5c df 9b c2-                       9..u\...**
> **
>
>         unsignedAttrs:****
>
>           <EMPTY>****
>
> ** **
>
> ** **
>
> Where’s this cert come from?****
>
> ** **
>
> “issuer: C=US, ST=Unset, L=Unset, O=Unset, CN=www.example.com”****
>
> ** **
>
> ** **
>
> Guang****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Adam [mailto:adam at younglogic.com]
> *Sent:* Wednesday, November 07, 2012 1:07 PM
> *To:* Gary Kotton; Yee, Guang; OpenStack Development Mailing List
> *Subject:* Quantum/Keystone issue (401) seems to be due to encoding****
>
> ** **
>
> I get the following erros when trying to decode the revocation list:****
>
> **1.  **140580198655840:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:****
>
> **2.  **140580198655840:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:795:****
>
> **3.  **140580198655840:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:cms_sd.c:899:****
>
> **4.  **140580198655840:error:2E09D06D:CMS routines:CMS_verify:content verify error:cms_smime.c:425:****
>
> ** **
>
> The biggest difference I can see between this and the successful runs in
> the other projects is that this one comes in enced as unicode, elsewhere we
> see it as string.****
>
> The data is coming through OK.  I can see:****
>
> {"revoked": []}****
>
> So I think the DER encoding is getting messed up in translation.  ****
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> I wonder if you're hitting the same issue that we had in Cinder WRT the
monkey patched eventlet?

Sounds similar, and I noticed you have the same eventlet setup that Cinder
did.

https://review.openstack.org/#/c/15594/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121108/e4681b9c/attachment.html>

More information about the OpenStack-dev mailing list