Tree - rpms/pki-core - CentOS Git server

rpms / pki-core

Files

Commit: 018a91b228157f1552334887edcb51e9a0d007f2
Blob Blame History Raw
From c2d66070b05c0230d7d508458223337a0d2571c4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 25 Mar 2016 03:33:05 +0100
Subject: [PATCH] Fixed certificate chain import problem.

In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.

The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.

https://fedorahosted.org/pki/ticket/2022
---
 .../server/deployment/scriptlets/configuration.py  | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 54f065f094c811cdbf944a0ac14e019d0d4d6145..e344e9652fdefc97300cb78ee6f269cfd89b805e 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -157,17 +157,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
 
-                # If specified, import external CA cert into NSS database.
-                external_ca_cert_chain_nickname = deployer.mdict['pki_external_ca_cert_chain_nickname']
-                external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path']
-                if external_ca_cert_chain_file:
-                    cert_chain, _nicks = nssdb.import_cert_chain(
-                        nickname=external_ca_cert_chain_nickname,
-                        cert_chain_file=external_ca_cert_chain_file,
-                        trust_attributes='CT,C,C')
-                    subsystem.config['ca.external_ca_chain.cert'] = cert_chain
-
                 # If specified, import externally-signed CA cert into NSS database.
+                # Note: CA cert must be imported before the cert chain to ensure that
+                # the CA cert is imported with the correct nickname.
                 signing_nickname = deployer.mdict['pki_ca_signing_nickname']
                 signing_cert_file = deployer.mdict['pki_external_ca_cert_path']
                 if signing_cert_file:
@@ -182,6 +174,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     pkcs12_password = deployer.mdict['pki_external_pkcs12_password']
                     nssdb.import_pkcs12(pkcs12_file, pkcs12_password)
 
+                # If specified, import cert chain into NSS database.
+                external_ca_cert_chain_nickname = deployer.mdict['pki_external_ca_cert_chain_nickname']
+                external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path']
+                if external_ca_cert_chain_file:
+                    cert_chain, _nicks = nssdb.import_cert_chain(
+                        nickname=external_ca_cert_chain_nickname,
+                        cert_chain_file=external_ca_cert_chain_file,
+                        trust_attributes='CT,C,C')
+                    subsystem.config['ca.external_ca_chain.cert'] = cert_chain
+
                 # Export CA cert from NSS database and import it into CS.cfg.
                 signing_cert_data = nssdb.get_cert(
                     nickname=signing_nickname,
-- 
2.4.3
rpms / pki-core

Source Code

Files
