|
 |
0201d8 |
From e6bdbe215ae3fba629eea69e4413c44fea7cd02b Mon Sep 17 00:00:00 2001
|
|
|
0201d8 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
0201d8 |
Date: Tue, 17 Mar 2015 08:23:40 +0000
|
|
|
0201d8 |
Subject: [PATCH] upload_cacrt: Fix empty cACertificate in cn=CAcert
|
|
|
0201d8 |
|
|
|
0201d8 |
https://fedorahosted.org/freeipa/ticket/4565
|
|
|
0201d8 |
|
|
|
0201d8 |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
0201d8 |
---
|
|
|
0201d8 |
ipaserver/install/plugins/upload_cacrt.py | 54 +++++++++++++++++--------------
|
|
|
0201d8 |
1 file changed, 30 insertions(+), 24 deletions(-)
|
|
|
0201d8 |
|
|
|
0201d8 |
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
0201d8 |
index 66270ae7613e935fc8df4bc90aa5001296e1c06d..4d5ce52d4073660fc0c1c1ba09e993b250e11fcb 100644
|
|
|
0201d8 |
--- a/ipaserver/install/plugins/upload_cacrt.py
|
|
|
0201d8 |
+++ b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
0201d8 |
@@ -20,7 +20,7 @@
|
|
|
0201d8 |
from ipaserver.install.plugins import MIDDLE
|
|
|
0201d8 |
from ipaserver.install.plugins.baseupdate import PostUpdate
|
|
|
0201d8 |
from ipaserver.install import certs
|
|
|
0201d8 |
-from ipalib import api, certstore
|
|
|
0201d8 |
+from ipalib import api, errors, certstore
|
|
|
0201d8 |
from ipapython import certdb
|
|
|
0201d8 |
from ipapython.dn import DN
|
|
|
0201d8 |
|
|
|
0201d8 |
@@ -45,7 +45,7 @@ class update_upload_cacrt(PostUpdate):
|
|
|
0201d8 |
if ca_chain:
|
|
|
0201d8 |
ca_nickname = ca_chain[-1]
|
|
|
0201d8 |
|
|
|
0201d8 |
- updates = {}
|
|
|
0201d8 |
+ ldap = self.obj.backend
|
|
|
0201d8 |
|
|
|
0201d8 |
for nickname, trust_flags in db.list_certs():
|
|
|
0201d8 |
if 'u' in trust_flags:
|
|
|
0201d8 |
@@ -53,40 +53,46 @@ class update_upload_cacrt(PostUpdate):
|
|
|
0201d8 |
if nickname == ca_nickname and ca_enabled:
|
|
|
0201d8 |
trust_flags = 'CT,C,C'
|
|
|
0201d8 |
cert = db.get_cert_from_db(nickname, pem=False)
|
|
|
0201d8 |
+ trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
|
|
|
0201d8 |
+
|
|
|
0201d8 |
+ dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
|
|
|
0201d8 |
+ ('cn','etc'), self.api.env.basedn)
|
|
|
0201d8 |
+ entry = ldap.make_entry(dn)
|
|
|
0201d8 |
+
|
|
|
0201d8 |
try:
|
|
|
0201d8 |
- dn, entry = self._make_entry(cert, nickname, trust_flags)
|
|
|
0201d8 |
+ certstore.init_ca_entry(entry, cert, nickname, trust, eku)
|
|
|
0201d8 |
except Exception, e:
|
|
|
0201d8 |
self.log.warning("Failed to create entry for %s: %s",
|
|
|
0201d8 |
nickname, e)
|
|
|
0201d8 |
continue
|
|
|
0201d8 |
if nickname == ca_nickname:
|
|
|
0201d8 |
ca_cert = cert
|
|
|
0201d8 |
+ config = entry.setdefault('ipaConfigString', [])
|
|
|
0201d8 |
if ca_enabled:
|
|
|
0201d8 |
- entry.append('ipaConfigString:ipaCA')
|
|
|
0201d8 |
- entry.append('ipaConfigString:compatCA')
|
|
|
0201d8 |
- updates[dn] = {'dn': dn, 'default': entry}
|
|
|
0201d8 |
+ config.append('ipaCa')
|
|
|
0201d8 |
+ config.append('ipaCa')
|
|
|
0201d8 |
+
|
|
|
0201d8 |
+ try:
|
|
|
0201d8 |
+ ldap.add_entry(entry)
|
|
|
0201d8 |
+ except errors.DuplicateEntry:
|
|
|
0201d8 |
+ pass
|
|
|
0201d8 |
|
|
|
0201d8 |
if ca_cert:
|
|
|
0201d8 |
dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'),
|
|
|
0201d8 |
self.api.env.basedn)
|
|
|
0201d8 |
- entry = ['objectclass:nsContainer',
|
|
|
0201d8 |
- 'objectclass:pkiCA',
|
|
|
0201d8 |
- 'cn:CAcert',
|
|
|
0201d8 |
- 'cACertificate;binary:%s' % ca_cert,
|
|
|
0201d8 |
- ]
|
|
|
0201d8 |
- updates[dn] = {'dn': dn, 'default': entry}
|
|
|
0201d8 |
-
|
|
|
0201d8 |
- return (False, True, [updates])
|
|
|
0201d8 |
-
|
|
|
0201d8 |
- def _make_entry(self, cert, nickname, trust_flags):
|
|
|
0201d8 |
- dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
|
|
|
0201d8 |
- ('cn','etc'), self.api.env.basedn)
|
|
|
0201d8 |
-
|
|
|
0201d8 |
- entry = dict()
|
|
|
0201d8 |
- trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
|
|
|
0201d8 |
- certstore.init_ca_entry(entry, cert, nickname, trust, eku)
|
|
|
0201d8 |
- entry = ['%s:%s' % (a, v) for a, vs in entry.iteritems() for v in vs]
|
|
|
0201d8 |
+ try:
|
|
|
0201d8 |
+ entry = ldap.get_entry(dn)
|
|
|
0201d8 |
+ except errors.NotFound:
|
|
|
0201d8 |
+ entry = ldap.make_entry(dn)
|
|
|
0201d8 |
+ entry['objectclass'] = ['nsContainer', 'pkiCA']
|
|
|
0201d8 |
+ entry.single_value['cn'] = 'CAcert'
|
|
|
0201d8 |
+ entry.single_value['cACertificate;binary'] = ca_cert
|
|
|
0201d8 |
+ ldap.add_entry(entry)
|
|
|
0201d8 |
+ else:
|
|
|
0201d8 |
+ if '' in entry['cACertificate;binary']:
|
|
|
0201d8 |
+ entry.single_value['cACertificate;binary'] = ca_cert
|
|
|
0201d8 |
+ ldap.update_entry(entry)
|
|
|
0201d8 |
|
|
|
0201d8 |
- return dn, entry
|
|
|
0201d8 |
+ return (False, False, [])
|
|
|
0201d8 |
|
|
|
0201d8 |
api.register(update_upload_cacrt)
|
|
|
0201d8 |
--
|
|
|
0201d8 |
2.1.0
|
|
|
0201d8 |
|