rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0109-Fix-CA-server-cert-validation-in-FIPS.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   460745326ba253b5c4924b624dbc2f0714a2af42
  2.   SOURCES
  3.   0109-Fix-CA-server-cert-validation-in-FIPS.patch
Blob History Raw
ac7d03 
From 83fe9a4eb7b96d9d02066a73fe1894fb8b797753 Mon Sep 17 00:00:00 2001
ac7d03 
From: Stanislav Laznicka <slaznick@redhat.com>
ac7d03 
Date: Wed, 26 Apr 2017 08:19:27 +0200
ac7d03 
Subject: [PATCH] Fix CA/server cert validation in FIPS
ac7d03
ac7d03 
In FIPS, the NSS library needs to be passed passwords to perform
ac7d03 
certificate validation. Should we not have passed it and the NSS
ac7d03 
guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE
ac7d03 
which is completely different error than one would expect but
ac7d03 
that's just how things are with NSS right now.
ac7d03
ac7d03 
https://pagure.io/freeipa/issue/6897
ac7d03
ac7d03 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ac7d03 
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
ac7d03 
---
ac7d03 
 ipapython/certdb.py | 13 +++++++++++--
ac7d03 
 1 file changed, 11 insertions(+), 2 deletions(-)
ac7d03
ac7d03 
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
ac7d03 
index 0665f944457fb09820eb244c742cb1782e515ad1..ea73ec139df9013b860df447fcffd9038cf7c8f2 100644
ac7d03 
--- a/ipapython/certdb.py
ac7d03 
+++ b/ipapython/certdb.py
ac7d03 
@@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0):
ac7d03 
     return (cert, e)
ac7d03
ac7d03
ac7d03 
+def get_file_cont(slot, token, filename):
ac7d03 
+    with open(filename) as f:
ac7d03 
+        return f.read()
ac7d03 
+
ac7d03 
+
ac7d03 
 class NSSDatabase(object):
ac7d03 
     """A general-purpose wrapper around a NSS cert database
ac7d03
ac7d03 
@@ -547,12 +552,14 @@ class NSSDatabase(object):
ac7d03 
         if nss.nss_is_initialized():
ac7d03 
             nss.nss_shutdown()
ac7d03 
         nss.nss_init(self.secdir)
ac7d03 
+        nss.set_password_callback(get_file_cont)
ac7d03 
         try:
ac7d03 
             certdb = nss.get_default_certdb()
ac7d03 
             cert = nss.find_cert_from_nickname(nickname)
ac7d03 
             intended_usage = nss.certificateUsageSSLServer
ac7d03 
             try:
ac7d03 
-                approved_usage = cert.verify_now(certdb, True, intended_usage)
ac7d03 
+                approved_usage = cert.verify_now(certdb, True, intended_usage,
ac7d03 
+                                                 self.pwd_file)
ac7d03 
             except NSPRError as e:
ac7d03 
                 if e.errno != -8102:
ac7d03 
                     raise ValueError(e.strerror)
ac7d03 
@@ -572,6 +579,7 @@ class NSSDatabase(object):
ac7d03 
         if nss.nss_is_initialized():
ac7d03 
             nss.nss_shutdown()
ac7d03 
         nss.nss_init(self.secdir)
ac7d03 
+        nss.set_password_callback(get_file_cont)
ac7d03 
         try:
ac7d03 
             certdb = nss.get_default_certdb()
ac7d03 
             cert = nss.find_cert_from_nickname(nickname)
ac7d03 
@@ -586,7 +594,8 @@ class NSSDatabase(object):
ac7d03 
                 raise ValueError("not a CA certificate")
ac7d03 
             intended_usage = nss.certificateUsageSSLCA
ac7d03 
             try:
ac7d03 
-                approved_usage = cert.verify_now(certdb, True, intended_usage)
ac7d03 
+                approved_usage = cert.verify_now(certdb, True, intended_usage,
ac7d03 
+                                                 self.pwd_file)
ac7d03 
             except NSPRError as e:
ac7d03 
                 if e.errno != -8102:    # SEC_ERROR_INADEQUATE_KEY_USAGE
ac7d03 
                     raise ValueError(e.strerror)
ac7d03 
--
ac7d03 
2.12.2
ac7d03

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation