Bug #16243
closed
SUSE inventory signing
Description
Please bear with me for only having a SUSE Leap42.3 here for testing this.
In any case, there i can run "rudder agent inventory" but the resulting inv is declined with a signature error.
@zuzuzuzu:~ # rudder agent inventory
Rudder agent 6.0.0.beta1
Node uuid: 0eb29fbd-452b-45a7-ac27-d0f776b06034
Start execution with config [0]
M| State Technique Component Key Message
E| compliant Inventory inventory The inventory has been successfully sent
info Rudder agent was run on a subset of policies - not all policies were checked
- Summary #####################################################################
1 components verified in 3 directives
=> 1 components in Enforce mode
-> 1 compliant
Execution time: 4.05s ################################################################################
@
[2019-11-21 19:40:39+0000] INFO inventory-processing - Watch new inventory file 'zuzuzuzu-0eb29fbd-452b-45a7-ac27-d0f776b06034.ocs' with signature available: process.
[2019-11-21 19:40:39+0000] ERROR inventory-processing - Error when processing inventory 'zuzuzuzu-0eb29fbd-452b-45a7-ac27-d0f776b06034.ocs', status: SignatureInvalid
There's no further info or instruction what to do.
zuzuzuzu:~ # rpm -aq | grep -i rudder
rudder-agent-6.0.0.beta1-1.SLES.12.x86_64
I'll try to do some more updates on the client but honestly it would take more clear info to understand this. I checked in cfengine-community/outputs/ but it seems the inventory run isn't logging there.
For now it looks like I can't add a Leap42.3 or SLES12 SP3 client.
I re-deployed the VM and upgraded to 15.0 (hated and failed the process, btw).
the signature from 15 was accepted!
Setting this to infrequent but you should test against SLES12 SP3 for youknowwho.
Updated by François ARMAND over 4 years ago
Thanks for reporting.
Is it possible to get inventory+signature (should be /var/rudder/inventories/failed) ?
Also, you can get more information in /var/log/rudder/webapp/2019_11_..., you can change the line:
<logger name="inventory-processing" level="info" />
Into:
<logger name="inventory-processing" level="trace" />
In /opt/rudder/etc/logback.xml file.
Updated by François ARMAND over 4 years ago
Oh, to test back inventory logs at trace level, you can just copy the inventory+signature from /var/rudder/inventories/failed into /var/rudder/inventories/incoming
Updated by
Updated by François ARMAND over 4 years ago
So, the signature verification fails in bouncycastle cypher:
//package org.bouncycastle.crypto.encodings
public class PKCS1Encoding
implements AsymmetricBlockCipher
...
private byte[] decodeBlock(
byte[] in,
int inOff,
int inLen)
throws InvalidCipherTextException
{
....
if (badType | start < HEADER_LENGTH)
{
Arrays.fill(data, (byte)0);
throw new InvalidCipherTextException("block incorrect"); // <== here. Yep, that much information.
}
It may be something about the key. We will try to reproduce it and see if there's something strange when signing is done, here I can't understand.
Updated by Alexis Mousset over 4 years ago
Tested on a Leap 42.3 with 6.0 beta1 agent and had no issue with inventory.
Updated by François ARMAND over 4 years ago
- Status changed from New to Rejected
@Florian, I will close that one as we didn't reproduced it, and all our tests are working, and we corrected the detection problem. If you see it again, please reopen that ticket!