From 2805b17bb7f204c25ed27bea1ee4fb999ae3d9d7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 17 Mar 2015 09:28:47 +0000
Subject: [PATCH] certstore: Make certificate retrieval more robust
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
---
ipalib/certstore.py | 74 +++++++++++++++++++++++++++++++++++++----------------
1 file changed, 52 insertions(+), 22 deletions(-)
diff --git a/ipalib/certstore.py b/ipalib/certstore.py
index 8a9b41015127fcb1b2b5e01da10f0defcee18265..3a5555c95251fdf3384c7dd21cb19d2125a469f5 100644
--- a/ipalib/certstore.py
+++ b/ipalib/certstore.py
@@ -239,6 +239,31 @@ def put_ca_cert(ldap, base_dn, dercert, nickname, trusted=None,
pass
+def make_compat_ca_certs(certs, realm, ipa_ca_subject):
+ """
+ Make CA certificates and associated key policy from DER certificates.
+ """
+ result = []
+
+ for cert in certs:
+ subject, issuer_serial, public_key_info = _parse_cert(cert)
+ subject = DN(subject)
+
+ if ipa_ca_subject is not None and subject == DN(ipa_ca_subject):
+ nickname = get_ca_nickname(realm)
+ ext_key_usage = {x509.EKU_SERVER_AUTH,
+ x509.EKU_CLIENT_AUTH,
+ x509.EKU_EMAIL_PROTECTION,
+ x509.EKU_CODE_SIGNING}
+ else:
+ nickname = str(subject)
+ ext_key_usage = {x509.EKU_SERVER_AUTH}
+
+ result.append((cert, nickname, True, ext_key_usage))
+
+ return result
+
+
def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
filter_subject=None):
"""
@@ -250,6 +275,7 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
filter_subject = [str(subj).replace('\\;', '\\3b')
for subj in filter_subject]
+ certs = []
config_dn = DN(('cn', 'ipa'), ('cn', 'etc'), base_dn)
container_dn = DN(('cn', 'certificates'), config_dn)
try:
@@ -265,7 +291,6 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
'cACertificate;binary'])
- certs = []
for entry in result:
nickname = entry.single_value['cn']
trusted = entry.single_value.get('ipaKeyTrust', 'unknown').lower()
@@ -281,34 +306,39 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
ext_key_usage.discard(x509.EKU_PLACEHOLDER)
for cert in entry.get('cACertificate;binary', []):
+ try:
+ _parse_cert(cert)
+ except ValueError:
+ certs = []
+ break
certs.append((cert, nickname, trusted, ext_key_usage))
-
- return certs
except errors.NotFound:
try:
ldap.get_entry(container_dn, [''])
except errors.NotFound:
- pass
- else:
- return []
-
- # Fallback to cn=CAcert,cn=ipa,cn=etc,SUFFIX
- dn = DN(('cn', 'CAcert'), config_dn)
- entry = ldap.get_entry(dn, ['cACertificate;binary'])
-
- cert = entry.single_value['cACertificate;binary']
- subject, issuer_serial, public_key_info = _parse_cert(cert)
- if filter_subject is not None and subject not in filter_subject:
- return []
+ # Fallback to cn=CAcert,cn=ipa,cn=etc,SUFFIX
+ dn = DN(('cn', 'CAcert'), config_dn)
+ entry = ldap.get_entry(dn, ['cACertificate;binary'])
+
+ cert = entry.single_value['cACertificate;binary']
+ try:
+ subject, issuer_serial, public_key_info = _parse_cert(cert)
+ except ValueError:
+ pass
+ else:
+ if filter_subject is not None and subject not in filter_subject:
+ raise errors.NotFound(reason="no matching entry found")
- nickname = get_ca_nickname(compat_realm)
- ext_key_usage = {x509.EKU_SERVER_AUTH}
- if compat_ipa_ca:
- ext_key_usage |= {x509.EKU_CLIENT_AUTH,
- x509.EKU_EMAIL_PROTECTION,
- x509.EKU_CODE_SIGNING}
+ if compat_ipa_ca:
+ ca_subject = subject
+ else:
+ ca_subject = None
+ certs = make_compat_ca_certs([cert], compat_realm, ca_subject)
- return [(cert, nickname, True, ext_key_usage)]
+ if certs:
+ return certs
+ else:
+ raise errors.NotFound(reason="no such entry")
def trust_flags_to_key_policy(trust_flags):
--
2.1.0