483b06
From 83fe9a4eb7b96d9d02066a73fe1894fb8b797753 Mon Sep 17 00:00:00 2001
483b06
From: Stanislav Laznicka <slaznick@redhat.com>
483b06
Date: Wed, 26 Apr 2017 08:19:27 +0200
483b06
Subject: [PATCH] Fix CA/server cert validation in FIPS
483b06
483b06
In FIPS, the NSS library needs to be passed passwords to perform
483b06
certificate validation. Should we not have passed it and the NSS
483b06
guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE
483b06
which is completely different error than one would expect but
483b06
that's just how things are with NSS right now.
483b06
483b06
https://pagure.io/freeipa/issue/6897
483b06
483b06
Reviewed-By: Christian Heimes <cheimes@redhat.com>
483b06
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
483b06
---
483b06
 ipapython/certdb.py | 13 +++++++++++--
483b06
 1 file changed, 11 insertions(+), 2 deletions(-)
483b06
483b06
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
483b06
index 0665f944457fb09820eb244c742cb1782e515ad1..ea73ec139df9013b860df447fcffd9038cf7c8f2 100644
483b06
--- a/ipapython/certdb.py
483b06
+++ b/ipapython/certdb.py
483b06
@@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0):
483b06
     return (cert, e)
483b06
 
483b06
 
483b06
+def get_file_cont(slot, token, filename):
483b06
+    with open(filename) as f:
483b06
+        return f.read()
483b06
+
483b06
+
483b06
 class NSSDatabase(object):
483b06
     """A general-purpose wrapper around a NSS cert database
483b06
 
483b06
@@ -547,12 +552,14 @@ class NSSDatabase(object):
483b06
         if nss.nss_is_initialized():
483b06
             nss.nss_shutdown()
483b06
         nss.nss_init(self.secdir)
483b06
+        nss.set_password_callback(get_file_cont)
483b06
         try:
483b06
             certdb = nss.get_default_certdb()
483b06
             cert = nss.find_cert_from_nickname(nickname)
483b06
             intended_usage = nss.certificateUsageSSLServer
483b06
             try:
483b06
-                approved_usage = cert.verify_now(certdb, True, intended_usage)
483b06
+                approved_usage = cert.verify_now(certdb, True, intended_usage,
483b06
+                                                 self.pwd_file)
483b06
             except NSPRError as e:
483b06
                 if e.errno != -8102:
483b06
                     raise ValueError(e.strerror)
483b06
@@ -572,6 +579,7 @@ class NSSDatabase(object):
483b06
         if nss.nss_is_initialized():
483b06
             nss.nss_shutdown()
483b06
         nss.nss_init(self.secdir)
483b06
+        nss.set_password_callback(get_file_cont)
483b06
         try:
483b06
             certdb = nss.get_default_certdb()
483b06
             cert = nss.find_cert_from_nickname(nickname)
483b06
@@ -586,7 +594,8 @@ class NSSDatabase(object):
483b06
                 raise ValueError("not a CA certificate")
483b06
             intended_usage = nss.certificateUsageSSLCA
483b06
             try:
483b06
-                approved_usage = cert.verify_now(certdb, True, intended_usage)
483b06
+                approved_usage = cert.verify_now(certdb, True, intended_usage,
483b06
+                                                 self.pwd_file)
483b06
             except NSPRError as e:
483b06
                 if e.errno != -8102:    # SEC_ERROR_INADEQUATE_KEY_USAGE
483b06
                     raise ValueError(e.strerror)
483b06
-- 
483b06
2.12.2
483b06