|
|
e3ffab |
From 9c9050a11a14f548fe2f0f0746c686a8ccc09488 Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Tomas Babej <tbabej@redhat.com>
|
|
|
e3ffab |
Date: Tue, 2 Dec 2014 13:13:51 +0100
|
|
|
e3ffab |
Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert
|
|
|
e3ffab |
|
|
|
e3ffab |
For CA certificates that are not certificates of IPA CA, we incorrectly
|
|
|
e3ffab |
set the trust flags to ",,", regardless what the actual trust_flags
|
|
|
e3ffab |
parameter was passed.
|
|
|
e3ffab |
|
|
|
e3ffab |
Make the load_cacert method respect trust_flags and make it a required
|
|
|
e3ffab |
argument.
|
|
|
e3ffab |
|
|
|
e3ffab |
https://fedorahosted.org/freeipa/ticket/4779
|
|
|
e3ffab |
|
|
|
e3ffab |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
e3ffab |
---
|
|
|
e3ffab |
ipaserver/install/certs.py | 6 ++----
|
|
|
e3ffab |
ipaserver/install/dsinstance.py | 2 +-
|
|
|
e3ffab |
2 files changed, 3 insertions(+), 5 deletions(-)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
|
|
|
e3ffab |
index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..7292cbbe3574f57d32daa6f1e310669486fa5eff 100644
|
|
|
e3ffab |
--- a/ipaserver/install/certs.py
|
|
|
e3ffab |
+++ b/ipaserver/install/certs.py
|
|
|
e3ffab |
@@ -238,7 +238,7 @@ class CertDB(object):
|
|
|
e3ffab |
"-k", self.passwd_fname])
|
|
|
e3ffab |
self.set_perms(self.pk12_fname)
|
|
|
e3ffab |
|
|
|
e3ffab |
- def load_cacert(self, cacert_fname, trust_flags='C,,'):
|
|
|
e3ffab |
+ def load_cacert(self, cacert_fname, trust_flags):
|
|
|
e3ffab |
"""
|
|
|
e3ffab |
Load all the certificates from a given file. It is assumed that
|
|
|
e3ffab |
this file creates CA certificates.
|
|
|
e3ffab |
@@ -255,11 +255,9 @@ class CertDB(object):
|
|
|
e3ffab |
(rdn, subject_dn) = get_cert_nickname(cert)
|
|
|
e3ffab |
if subject_dn == ca_dn:
|
|
|
e3ffab |
nick = get_ca_nickname(self.realm)
|
|
|
e3ffab |
- tf = trust_flags
|
|
|
e3ffab |
else:
|
|
|
e3ffab |
nick = str(subject_dn)
|
|
|
e3ffab |
- tf = ',,'
|
|
|
e3ffab |
- self.nssdb.add_cert(cert, nick, tf, pem=True)
|
|
|
e3ffab |
+ self.nssdb.add_cert(cert, nick, trust_flags, pem=True)
|
|
|
e3ffab |
except RuntimeError:
|
|
|
e3ffab |
break
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
|
|
e3ffab |
index da535347117166e6cb445b0ebf14ad71787f72ba..860ad992ea94b8275fdfd1b4435607375c1d3d80 100644
|
|
|
e3ffab |
--- a/ipaserver/install/dsinstance.py
|
|
|
e3ffab |
+++ b/ipaserver/install/dsinstance.py
|
|
|
e3ffab |
@@ -841,7 +841,7 @@ class DsInstance(service.Service):
|
|
|
e3ffab |
certdb.cacert_name = cacert_name
|
|
|
e3ffab |
status = True
|
|
|
e3ffab |
try:
|
|
|
e3ffab |
- certdb.load_cacert(cacert_fname)
|
|
|
e3ffab |
+ certdb.load_cacert(cacert_fname, 'C,,')
|
|
|
e3ffab |
except ipautil.CalledProcessError, e:
|
|
|
e3ffab |
root_logger.critical("Error importing CA cert file named [%s]: %s" %
|
|
|
e3ffab |
(cacert_fname, str(e)))
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|