IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add method for verifying CA certificates to NSSDatabase.

Browse Source 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-03-13 10:27:54 +01:00 committed by Petr Viktorin
parent 2c43a3d0d5
commit 031b281921
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
ipaserver/install/certs.py
View File

@ -256,6 +256,8 @@ class NSSDatabase(object):
Raises a ValueError if the certificate is invalid.
"""
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
@ -277,6 +279,27 @@ class NSSDatabase(object):
return None
def verify_ca_cert_validity(self, nickname):
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
intended_usage = nss.certificateUsageSSLCA
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError, e:
if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE
raise ValueError(e.strerror)
approved_usage = 0
if approved_usage & intended_usage != intended_usage:
raise ValueError('invalid for a CA')
finally:
del certdb, cert
nss.nss_shutdown()
class CertDB(object):
"""An IPA-server-specific wrapper around NSS