IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Keep NSS trust flags of existing certificates

Browse Source 
Backup and restore trust flags of existing certificates during CA
installation. This prevents marking a previously trusted certificate
as untrusted, as was the case when CA-less was converted to CA-full
with external CA when using the same certificate.

https://fedorahosted.org/freeipa/ticket/5791

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Tomas Krizek 2016-09-13 10:14:47 +02:00 committed by Martin Basti
parent e5f7a612fb
commit 2bc70a5d5f
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ipaserver/install/cainstance.py
View File

@ -833,6 +833,10 @@ class CAInstance(DogtagInstance):
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
def __import_ca_chain(self): def __import_ca_chain(self):
# Backup NSS trust flags of all already existing certificates
certdb = certs.CertDB(self.realm)
cert_backup_list = certdb.list_certs()
chain = self.__get_ca_chain() chain = self.__get_ca_chain()
# If this chain contains multiple certs then certutil will only import # If this chain contains multiple certs then certutil will only import
@ -883,6 +887,10 @@ class CAInstance(DogtagInstance):
os.remove(chain_name) os.remove(chain_name)
subid += 1 subid += 1
# Restore NSS trust flags of all previously existing certificates
for nick, trust_flags in cert_backup_list:
certdb.trust_root_cert(nick, trust_flags)
def __request_ra_certificate(self): def __request_ra_certificate(self):
# Create a noise file for generating our private key # Create a noise file for generating our private key
noise = array.array('B', os.urandom(128)) noise = array.array('B', os.urandom(128))