From 086611271c4dfbbf47e76e666142327bf950a9ca Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Mon, 26 Nov 2018 14:15:12 +0100 Subject: [PATCH] ipa upgrade: handle double-encoded certificates Issue is linked to the ticket #3477 LDAP upload CA cert sometimes double-encodes the value In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN. The fix for 3477 is only partial as it prevents double-encoding when a new cert is uploaded but does not fix wrong values already present in LDAP. With this commit, the code first tries to read a der cert. If it fails, it logs a debug message and re-writes the value caCertificate;binary to repair the entry. Fixes https://pagure.io/freeipa/issue/7775 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Christian Heimes --- ipaserver/install/plugins/upload_cacrt.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py index 68d43caa76eb67093745658d20a39700adbd16c6..dc58f0863182ccb92d9fed6aa5f1c2546404b598 100644 --- a/ipaserver/install/plugins/upload_cacrt.py +++ b/ipaserver/install/plugins/upload_cacrt.py @@ -115,7 +115,18 @@ class update_upload_cacrt(Updater): entry.single_value['cACertificate;binary'] = ca_cert ldap.add_entry(entry) else: - if b'' in entry['cACertificate;binary']: + force_write = False + try: + _cert_bin = entry['cACertificate;binary'] + except ValueError: + # BZ 1644874 + # sometimes the cert is badly stored, twice encoded + # force write to fix the value + logger.debug('Fixing the value of cACertificate;binary ' + 'in entry %s', entry.dn) + force_write = True + + if force_write or b'' in entry['cACertificate;binary']: entry.single_value['cACertificate;binary'] = ca_cert ldap.update_entry(entry) -- 2.17.2