Project

General

Profile

Bug #16243

SUSE inventory signing

Added by Florian Heigl 9 months ago. Updated 9 months ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Agent
Target version:
-
Pull Request:
Severity:
Major - prevents use of part of Rudder | no simple workaround
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Priority:
41

Description

Please bear with me for only having a SUSE Leap42.3 here for testing this.
In any case, there i can run "rudder agent inventory" but the resulting inv is declined with a signature error.

@zuzuzuzu:~ # rudder agent inventory
Rudder agent 6.0.0.beta1
Node uuid: 0eb29fbd-452b-45a7-ac27-d0f776b06034
Start execution with config [0]

M| State Technique Component Key Message
E| compliant Inventory inventory The inventory has been successfully sent
info Rudder agent was run on a subset of policies - not all policies were checked

  1. Summary #####################################################################
    1 components verified in 3 directives
    => 1 components in Enforce mode
    -> 1 compliant
    Execution time: 4.05s ################################################################################
    @

[2019-11-21 19:40:39+0000] INFO inventory-processing - Watch new inventory file 'zuzuzuzu-0eb29fbd-452b-45a7-ac27-d0f776b06034.ocs' with signature available: process.
[2019-11-21 19:40:39+0000] ERROR inventory-processing - Error when processing inventory 'zuzuzuzu-0eb29fbd-452b-45a7-ac27-d0f776b06034.ocs', status: SignatureInvalid

There's no further info or instruction what to do.

zuzuzuzu:~ # rpm -aq | grep -i rudder
rudder-agent-6.0.0.beta1-1.SLES.12.x86_64

I'll try to do some more updates on the client but honestly it would take more clear info to understand this. I checked in cfengine-community/outputs/ but it seems the inventory run isn't logging there.

For now it looks like I can't add a Leap42.3 or SLES12 SP3 client.

I re-deployed the VM and upgraded to 15.0 (hated and failed the process, btw).
the signature from 15 was accepted!

Setting this to infrequent but you should test against SLES12 SP3 for youknowwho.

#1

Updated by François ARMAND 9 months ago

Thanks for reporting.

Is it possible to get inventory+signature (should be /var/rudder/inventories/failed) ?

Also, you can get more information in /var/log/rudder/webapp/2019_11_..., you can change the line:

<logger name="inventory-processing" level="info" />

Into:

<logger name="inventory-processing" level="trace" />

In /opt/rudder/etc/logback.xml file.

#2

Updated by François ARMAND 9 months ago

Oh, to test back inventory logs at trace level, you can just copy the inventory+signature from /var/rudder/inventories/failed into /var/rudder/inventories/incoming

#3

Updated by Florian Heigl 9 months ago

sent by mail

#4

Updated by François ARMAND 9 months ago

So, the signature verification fails in bouncycastle cypher:

//package org.bouncycastle.crypto.encodings
public class PKCS1Encoding
    implements AsymmetricBlockCipher
...
    private byte[] decodeBlock(
        byte[] in,
        int inOff,
        int inLen)
        throws InvalidCipherTextException
    {
....
        if (badType | start < HEADER_LENGTH)
        {
            Arrays.fill(data, (byte)0);
            throw new InvalidCipherTextException("block incorrect"); // <== here. Yep, that much information.
        }

It may be something about the key. We will try to reproduce it and see if there's something strange when signing is done, here I can't understand.

#5

Updated by Alexis MOUSSET 9 months ago

Tested on a Leap 42.3 with 6.0 beta1 agent and had no issue with inventory.

#6

Updated by François ARMAND 9 months ago

  • Status changed from New to Rejected

@Florian, I will close that one as we didn't reproduced it, and all our tests are working, and we corrected the detection problem. If you see it again, please reopen that ticket!

Also available in: Atom PDF