e3ffab
From 9c9050a11a14f548fe2f0f0746c686a8ccc09488 Mon Sep 17 00:00:00 2001
e3ffab
From: Tomas Babej <tbabej@redhat.com>
e3ffab
Date: Tue, 2 Dec 2014 13:13:51 +0100
e3ffab
Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert
e3ffab
e3ffab
For CA certificates that are not certificates of IPA CA, we incorrectly
e3ffab
set the trust flags to ",,", regardless what the actual trust_flags
e3ffab
parameter was passed.
e3ffab
e3ffab
Make the load_cacert method respect trust_flags and make it a required
e3ffab
argument.
e3ffab
e3ffab
https://fedorahosted.org/freeipa/ticket/4779
e3ffab
e3ffab
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
e3ffab
---
e3ffab
 ipaserver/install/certs.py      | 6 ++----
e3ffab
 ipaserver/install/dsinstance.py | 2 +-
e3ffab
 2 files changed, 3 insertions(+), 5 deletions(-)
e3ffab
e3ffab
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
e3ffab
index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..7292cbbe3574f57d32daa6f1e310669486fa5eff 100644
e3ffab
--- a/ipaserver/install/certs.py
e3ffab
+++ b/ipaserver/install/certs.py
e3ffab
@@ -238,7 +238,7 @@ class CertDB(object):
e3ffab
                          "-k", self.passwd_fname])
e3ffab
             self.set_perms(self.pk12_fname)
e3ffab
 
e3ffab
-    def load_cacert(self, cacert_fname, trust_flags='C,,'):
e3ffab
+    def load_cacert(self, cacert_fname, trust_flags):
e3ffab
         """
e3ffab
         Load all the certificates from a given file. It is assumed that
e3ffab
         this file creates CA certificates.
e3ffab
@@ -255,11 +255,9 @@ class CertDB(object):
e3ffab
                 (rdn, subject_dn) = get_cert_nickname(cert)
e3ffab
                 if subject_dn == ca_dn:
e3ffab
                     nick = get_ca_nickname(self.realm)
e3ffab
-                    tf = trust_flags
e3ffab
                 else:
e3ffab
                     nick = str(subject_dn)
e3ffab
-                    tf = ',,'
e3ffab
-                self.nssdb.add_cert(cert, nick, tf, pem=True)
e3ffab
+                self.nssdb.add_cert(cert, nick, trust_flags, pem=True)
e3ffab
             except RuntimeError:
e3ffab
                 break
e3ffab
 
e3ffab
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
e3ffab
index da535347117166e6cb445b0ebf14ad71787f72ba..860ad992ea94b8275fdfd1b4435607375c1d3d80 100644
e3ffab
--- a/ipaserver/install/dsinstance.py
e3ffab
+++ b/ipaserver/install/dsinstance.py
e3ffab
@@ -841,7 +841,7 @@ class DsInstance(service.Service):
e3ffab
         certdb.cacert_name = cacert_name
e3ffab
         status = True
e3ffab
         try:
e3ffab
-            certdb.load_cacert(cacert_fname)
e3ffab
+            certdb.load_cacert(cacert_fname, 'C,,')
e3ffab
         except ipautil.CalledProcessError, e:
e3ffab
             root_logger.critical("Error importing CA cert file named [%s]: %s" %
e3ffab
                                          (cacert_fname, str(e)))
e3ffab
-- 
e3ffab
2.1.0
e3ffab