From c7cc9896e89b3214c439e5601bf93b405dc1c72b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 12 Nov 2018 16:40:38 +1100
Subject: [PATCH] certdb: ensure non-empty Subject Key Identifier

Installation or IPA CA renewal with externally-signed CA accepts an
IPA CA certificate with empty Subject Key Identifier. This is
technically legal in X.509, but is an operational issue.
Furthermore, due to an extant bug in Dogtag
(https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag
startup failure.

Reject CA certificates with empty Subject Key Identifier.

Fixes: https://pagure.io/freeipa/issue/7762
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipapython/certdb.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index e3f00c2561..bef6809b0f 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -919,10 +919,13 @@ def verify_ca_cert_validity(self, nickname):
             raise ValueError("not a CA certificate")
 
         try:
-            cert.extensions.get_extension_for_class(
+            ski = cert.extensions.get_extension_for_class(
                     cryptography.x509.SubjectKeyIdentifier)
         except cryptography.x509.ExtensionNotFound:
             raise ValueError("missing subject key identifier extension")
+        else:
+            if len(ski.value.digest) == 0:
+                raise ValueError("subject key identifier must not be empty")
 
         try:
             self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
From c2ae6380b3f6b3804ebd2a7dd2b159b779eb756c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 13 Nov 2018 12:21:21 +0100
Subject: [PATCH] certdb: validate server cert signature

PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
cert validation. Let's also verify signature, key size, and signing algorithm
of server certs. With the '-e' option, the installer and other
tools will catch weak certs early.

Fixes: pagure.io/freeipa/issue/7761
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
 ipapython/certdb.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 05ec932985..1a92a12c50 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -891,8 +891,15 @@ def verify_server_cert_validity(self, nickname, hostname):
         cert = self.get_cert(nickname)
 
         try:
-            self.run_certutil(['-V', '-n', nickname, '-u', 'V'],
-                              capture_output=True)
+            self.run_certutil(
+                [
+                    '-V',  # check validity of cert and attrs
+                    '-n', nickname,
+                    '-u', 'V',  # usage; 'V' means "SSL server"
+                    '-e',  # check signature(s); this checks
+                    # key sizes, sig algorithm, etc.
+                ],
+                capture_output=True)
         except ipautil.CalledProcessError as e:
             # certutil output in case of error is
             # 'certutil: certificate is invalid: <ERROR_STRING>\n'