rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   a2f1a92f1934e8c103bb88ef0828da879ba2bb97
  2.   SOURCES
  3.   0051-ipa-upgrade-handle-double-encoded-certificates.patch
Blob History Raw
21de49 
From 086611271c4dfbbf47e76e666142327bf950a9ca Mon Sep 17 00:00:00 2001
21de49 
From: Florence Blanc-Renaud <flo@redhat.com>
21de49 
Date: Mon, 26 Nov 2018 14:15:12 +0100
21de49 
Subject: [PATCH] ipa upgrade: handle double-encoded certificates
21de49
21de49 
Issue is linked to the ticket
21de49 
 #3477 LDAP upload CA cert sometimes double-encodes the value
21de49 
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
21de49 
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
21de49
21de49 
The fix for 3477 is only partial as it prevents double-encoding when a
21de49 
new cert is uploaded but does not fix wrong values already present in LDAP.
21de49
21de49 
With this commit, the code first tries to read a der cert. If it fails,
21de49 
it logs a debug message and re-writes the value caCertificate;binary
21de49 
to repair the entry.
21de49
21de49 
Fixes https://pagure.io/freeipa/issue/7775
21de49 
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
21de49 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
21de49 
---
21de49 
 ipaserver/install/plugins/upload_cacrt.py | 13 ++++++++++++-
21de49 
 1 file changed, 12 insertions(+), 1 deletion(-)
21de49
21de49 
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
21de49 
index 68d43caa76eb67093745658d20a39700adbd16c6..dc58f0863182ccb92d9fed6aa5f1c2546404b598 100644
21de49 
--- a/ipaserver/install/plugins/upload_cacrt.py
21de49 
+++ b/ipaserver/install/plugins/upload_cacrt.py
21de49 
@@ -115,7 +115,18 @@ class update_upload_cacrt(Updater):
21de49 
                 entry.single_value['cACertificate;binary'] = ca_cert
21de49 
                 ldap.add_entry(entry)
21de49 
             else:
21de49 
-                if b'' in entry['cACertificate;binary']:
21de49 
+                force_write = False
21de49 
+                try:
21de49 
+                    _cert_bin = entry['cACertificate;binary']
21de49 
+                except ValueError:
21de49 
+                    # BZ 1644874
21de49 
+                    # sometimes the cert is badly stored, twice encoded
21de49 
+                    # force write to fix the value
21de49 
+                    logger.debug('Fixing the value of cACertificate;binary '
21de49 
+                                 'in entry %s', entry.dn)
21de49 
+                    force_write = True
21de49 
+
21de49 
+                if force_write or b'' in entry['cACertificate;binary']:
21de49 
                     entry.single_value['cACertificate;binary'] = ca_cert
21de49 
                     ldap.update_entry(entry)
21de49
21de49 
--
21de49 
2.17.2
21de49

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation