|
 |
e3ffab |
From c39b8f8c8fd3af8e4587cd1c454a87c7fefb6490 Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
e3ffab |
Date: Thu, 4 Dec 2014 08:15:46 +0000
|
|
|
e3ffab |
Subject: [PATCH] Check subject name encoding in ipa-cacert-manage renew
|
|
|
e3ffab |
|
|
|
e3ffab |
https://fedorahosted.org/freeipa/ticket/4781
|
|
|
e3ffab |
|
|
|
e3ffab |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
e3ffab |
---
|
|
|
e3ffab |
ipaserver/install/ipa_cacert_manage.py | 7 +++++--
|
|
|
e3ffab |
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
|
|
|
e3ffab |
index 2a8d95fdbebecf543a05afd47275c32684cad970..8fda6a263454e8a4046baa1da069cdcddeb177a9 100644
|
|
|
e3ffab |
--- a/ipaserver/install/ipa_cacert_manage.py
|
|
|
e3ffab |
+++ b/ipaserver/install/ipa_cacert_manage.py
|
|
|
e3ffab |
@@ -213,18 +213,21 @@ class CACertManage(admintool.AdminTool):
|
|
|
e3ffab |
try:
|
|
|
e3ffab |
nss_cert = x509.load_certificate(old_cert, x509.DER)
|
|
|
e3ffab |
subject = nss_cert.subject
|
|
|
e3ffab |
+ der_subject = x509.get_der_subject(old_cert, x509.DER)
|
|
|
e3ffab |
#pylint: disable=E1101
|
|
|
e3ffab |
pkinfo = nss_cert.subject_public_key_info.format()
|
|
|
e3ffab |
#pylint: enable=E1101
|
|
|
e3ffab |
|
|
|
e3ffab |
nss_cert = x509.load_certificate_from_file(cert_file.name)
|
|
|
e3ffab |
+ cert = nss_cert.der_data
|
|
|
e3ffab |
if nss_cert.subject != subject:
|
|
|
e3ffab |
raise admintool.ScriptError("Subject name mismatch")
|
|
|
e3ffab |
+ if x509.get_der_subject(cert, x509.DER) != der_subject:
|
|
|
e3ffab |
+ raise admintool.ScriptError("Subject name encoding mismatch")
|
|
|
e3ffab |
#pylint: disable=E1101
|
|
|
e3ffab |
if nss_cert.subject_public_key_info.format() != pkinfo:
|
|
|
e3ffab |
raise admintool.ScriptError("Subject public key info mismatch")
|
|
|
e3ffab |
#pylint: enable=E1101
|
|
|
e3ffab |
- cert = nss_cert.der_data
|
|
|
e3ffab |
finally:
|
|
|
e3ffab |
del nss_cert
|
|
|
e3ffab |
nss.nss_shutdown()
|
|
|
e3ffab |
@@ -238,7 +241,7 @@ class CACertManage(admintool.AdminTool):
|
|
|
e3ffab |
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
|
|
|
e3ffab |
except ipautil.CalledProcessError, e:
|
|
|
e3ffab |
raise admintool.ScriptError(
|
|
|
e3ffab |
- "Not compatible with the current CA certificate: %s", e)
|
|
|
e3ffab |
+ "Not compatible with the current CA certificate: %s" % e)
|
|
|
e3ffab |
|
|
|
e3ffab |
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
|
|
|
e3ffab |
for ca_cert in ca_certs:
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|