|
 |
6d47df |
From c7cc9896e89b3214c439e5601bf93b405dc1c72b Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
6d47df |
Date: Mon, 12 Nov 2018 16:40:38 +1100
|
|
|
6d47df |
Subject: [PATCH] certdb: ensure non-empty Subject Key Identifier
|
|
|
6d47df |
|
|
|
6d47df |
Installation or IPA CA renewal with externally-signed CA accepts an
|
|
|
6d47df |
IPA CA certificate with empty Subject Key Identifier. This is
|
|
|
6d47df |
technically legal in X.509, but is an operational issue.
|
|
|
6d47df |
Furthermore, due to an extant bug in Dogtag
|
|
|
6d47df |
(https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag
|
|
|
6d47df |
startup failure.
|
|
|
6d47df |
|
|
|
6d47df |
Reject CA certificates with empty Subject Key Identifier.
|
|
|
6d47df |
|
|
|
6d47df |
Fixes: https://pagure.io/freeipa/issue/7762
|
|
|
6d47df |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
ipapython/certdb.py | 5 ++++-
|
|
|
6d47df |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
|
|
|
6d47df |
index e3f00c2561..bef6809b0f 100644
|
|
|
6d47df |
--- a/ipapython/certdb.py
|
|
|
6d47df |
+++ b/ipapython/certdb.py
|
|
|
6d47df |
@@ -919,10 +919,13 @@ def verify_ca_cert_validity(self, nickname):
|
|
|
6d47df |
raise ValueError("not a CA certificate")
|
|
|
6d47df |
|
|
|
6d47df |
try:
|
|
|
6d47df |
- cert.extensions.get_extension_for_class(
|
|
|
6d47df |
+ ski = cert.extensions.get_extension_for_class(
|
|
|
6d47df |
cryptography.x509.SubjectKeyIdentifier)
|
|
|
6d47df |
except cryptography.x509.ExtensionNotFound:
|
|
|
6d47df |
raise ValueError("missing subject key identifier extension")
|
|
|
6d47df |
+ else:
|
|
|
6d47df |
+ if len(ski.value.digest) == 0:
|
|
|
6d47df |
+ raise ValueError("subject key identifier must not be empty")
|
|
|
6d47df |
|
|
|
6d47df |
try:
|
|
|
6d47df |
self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
|
|
|
6d47df |
From c2ae6380b3f6b3804ebd2a7dd2b159b779eb756c Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Date: Tue, 13 Nov 2018 12:21:21 +0100
|
|
|
6d47df |
Subject: [PATCH] certdb: validate server cert signature
|
|
|
6d47df |
|
|
|
6d47df |
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
|
|
|
6d47df |
cert validation. Let's also verify signature, key size, and signing algorithm
|
|
|
6d47df |
of server certs. With the '-e' option, the installer and other
|
|
|
6d47df |
tools will catch weak certs early.
|
|
|
6d47df |
|
|
|
6d47df |
Fixes: pagure.io/freeipa/issue/7761
|
|
|
6d47df |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
ipapython/certdb.py | 11 +++++++++--
|
|
|
6d47df |
1 file changed, 9 insertions(+), 2 deletions(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
|
|
|
6d47df |
index 05ec932985..1a92a12c50 100644
|
|
|
6d47df |
--- a/ipapython/certdb.py
|
|
|
6d47df |
+++ b/ipapython/certdb.py
|
|
|
6d47df |
@@ -891,8 +891,15 @@ def verify_server_cert_validity(self, nickname, hostname):
|
|
|
6d47df |
cert = self.get_cert(nickname)
|
|
|
6d47df |
|
|
|
6d47df |
try:
|
|
|
6d47df |
- self.run_certutil(['-V', '-n', nickname, '-u', 'V'],
|
|
|
6d47df |
- capture_output=True)
|
|
|
6d47df |
+ self.run_certutil(
|
|
|
6d47df |
+ [
|
|
|
6d47df |
+ '-V', # check validity of cert and attrs
|
|
|
6d47df |
+ '-n', nickname,
|
|
|
6d47df |
+ '-u', 'V', # usage; 'V' means "SSL server"
|
|
|
6d47df |
+ '-e', # check signature(s); this checks
|
|
|
6d47df |
+ # key sizes, sig algorithm, etc.
|
|
|
6d47df |
+ ],
|
|
|
6d47df |
+ capture_output=True)
|
|
|
6d47df |
except ipautil.CalledProcessError as e:
|
|
|
6d47df |
# certutil output in case of error is
|
|
|
6d47df |
# 'certutil: certificate is invalid: <ERROR_STRING>\n'
|