|
|
483b06 |
From 83fe9a4eb7b96d9d02066a73fe1894fb8b797753 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
483b06 |
Date: Wed, 26 Apr 2017 08:19:27 +0200
|
|
|
483b06 |
Subject: [PATCH] Fix CA/server cert validation in FIPS
|
|
|
483b06 |
|
|
|
483b06 |
In FIPS, the NSS library needs to be passed passwords to perform
|
|
|
483b06 |
certificate validation. Should we not have passed it and the NSS
|
|
|
483b06 |
guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE
|
|
|
483b06 |
which is completely different error than one would expect but
|
|
|
483b06 |
that's just how things are with NSS right now.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/6897
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
483b06 |
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
ipapython/certdb.py | 13 +++++++++++--
|
|
|
483b06 |
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
|
|
|
483b06 |
index 0665f944457fb09820eb244c742cb1782e515ad1..ea73ec139df9013b860df447fcffd9038cf7c8f2 100644
|
|
|
483b06 |
--- a/ipapython/certdb.py
|
|
|
483b06 |
+++ b/ipapython/certdb.py
|
|
|
483b06 |
@@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0):
|
|
|
483b06 |
return (cert, e)
|
|
|
483b06 |
|
|
|
483b06 |
|
|
|
483b06 |
+def get_file_cont(slot, token, filename):
|
|
|
483b06 |
+ with open(filename) as f:
|
|
|
483b06 |
+ return f.read()
|
|
|
483b06 |
+
|
|
|
483b06 |
+
|
|
|
483b06 |
class NSSDatabase(object):
|
|
|
483b06 |
"""A general-purpose wrapper around a NSS cert database
|
|
|
483b06 |
|
|
|
483b06 |
@@ -547,12 +552,14 @@ class NSSDatabase(object):
|
|
|
483b06 |
if nss.nss_is_initialized():
|
|
|
483b06 |
nss.nss_shutdown()
|
|
|
483b06 |
nss.nss_init(self.secdir)
|
|
|
483b06 |
+ nss.set_password_callback(get_file_cont)
|
|
|
483b06 |
try:
|
|
|
483b06 |
certdb = nss.get_default_certdb()
|
|
|
483b06 |
cert = nss.find_cert_from_nickname(nickname)
|
|
|
483b06 |
intended_usage = nss.certificateUsageSSLServer
|
|
|
483b06 |
try:
|
|
|
483b06 |
- approved_usage = cert.verify_now(certdb, True, intended_usage)
|
|
|
483b06 |
+ approved_usage = cert.verify_now(certdb, True, intended_usage,
|
|
|
483b06 |
+ self.pwd_file)
|
|
|
483b06 |
except NSPRError as e:
|
|
|
483b06 |
if e.errno != -8102:
|
|
|
483b06 |
raise ValueError(e.strerror)
|
|
|
483b06 |
@@ -572,6 +579,7 @@ class NSSDatabase(object):
|
|
|
483b06 |
if nss.nss_is_initialized():
|
|
|
483b06 |
nss.nss_shutdown()
|
|
|
483b06 |
nss.nss_init(self.secdir)
|
|
|
483b06 |
+ nss.set_password_callback(get_file_cont)
|
|
|
483b06 |
try:
|
|
|
483b06 |
certdb = nss.get_default_certdb()
|
|
|
483b06 |
cert = nss.find_cert_from_nickname(nickname)
|
|
|
483b06 |
@@ -586,7 +594,8 @@ class NSSDatabase(object):
|
|
|
483b06 |
raise ValueError("not a CA certificate")
|
|
|
483b06 |
intended_usage = nss.certificateUsageSSLCA
|
|
|
483b06 |
try:
|
|
|
483b06 |
- approved_usage = cert.verify_now(certdb, True, intended_usage)
|
|
|
483b06 |
+ approved_usage = cert.verify_now(certdb, True, intended_usage,
|
|
|
483b06 |
+ self.pwd_file)
|
|
|
483b06 |
except NSPRError as e:
|
|
|
483b06 |
if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE
|
|
|
483b06 |
raise ValueError(e.strerror)
|
|
|
483b06 |
--
|
|
|
483b06 |
2.12.2
|
|
|
483b06 |
|