Handle exceptions gracefully when verifying PKCS#12 files.

https://fedorahosted.org/freeipa/ticket/3667

ipaserver/install/certs.py

@@ -29,6 +29,7 @@ import base64
 from hashlib import sha1
 
 from nss import nss
+from nss.error import NSPRError
 
 from ipapython.ipa_log_manager import root_logger
 from ipapython import dogtag
@@ -286,7 +287,12 @@ class NSSDatabase(object):
             certdb = nss.get_default_certdb()
             cert = nss.find_cert_from_nickname(nickname)
             intended_usage = nss.certificateUsageSSLServer
-            approved_usage = cert.verify_now(certdb, True, intended_usage)
+            try:
+                approved_usage = cert.verify_now(certdb, True, intended_usage)
+            except NSPRError, e:
+                if e.errno != -8102:
+                    raise ValueError(e.strerror)
+                approved_usage = 0
             if not approved_usage & intended_usage:
                 raise ValueError('invalid for a SSL server')
             if not cert.verify_hostname(hostname):

ipaserver/install/installutils.py

@@ -720,7 +720,10 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
         # Import the CA cert first so it has a known nickname
         # (if it's present in the PKCS#12 it won't be overwritten)
         ca_cert_name = 'The Root CA'
-        nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file)
+        try:
+            nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file)
+        except ValueError, e:
+            raise ScriptError(str(e))
 
         # Import everything in the PKCS#12
         nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pin_filename)