mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Use information from the certificate subject when setting the NSS nickname.
There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
This commit is contained in:
@@ -39,6 +39,7 @@ import socket
|
||||
from ipapython import dogtag
|
||||
from ipapython.certdb import get_ca_nickname
|
||||
from ipalib import pkcs10, x509
|
||||
from ipalib.dn import DN
|
||||
import subprocess
|
||||
|
||||
from nss.error import NSPRError
|
||||
@@ -919,7 +920,7 @@ class CAInstance(service.Service):
|
||||
# makes openssl throw up.
|
||||
data = base64.b64decode(chain)
|
||||
|
||||
(certs, stderr, returncode) = ipautil.run(["/usr/bin/openssl",
|
||||
(certlist, stderr, returncode) = ipautil.run(["/usr/bin/openssl",
|
||||
"pkcs7",
|
||||
"-inform",
|
||||
"DER",
|
||||
@@ -932,18 +933,20 @@ class CAInstance(service.Service):
|
||||
st = 1
|
||||
en = 0
|
||||
subid = 0
|
||||
normalized_base = str(DN(self.subject_base))
|
||||
while st > 0:
|
||||
st = certs.find('-----BEGIN', en)
|
||||
en = certs.find('-----END', en+1)
|
||||
st = certlist.find('-----BEGIN', en)
|
||||
en = certlist.find('-----END', en+1)
|
||||
if st > 0:
|
||||
try:
|
||||
(chain_fd, chain_name) = tempfile.mkstemp()
|
||||
os.write(chain_fd, certs[st:en+25])
|
||||
os.write(chain_fd, certlist[st:en+25])
|
||||
os.close(chain_fd)
|
||||
if subid == 0:
|
||||
nick = self.canickname
|
||||
(rdn, subject) = certs.get_cert_nickname(certlist[st:en+25])
|
||||
if subject.lower() == ('CN=Certificate Authority,%s' % normalized_base).lower():
|
||||
nick = get_ca_nickname(self.realm)
|
||||
else:
|
||||
nick = "%s sub %d" % (self.canickname, subid)
|
||||
nick = subject
|
||||
self.__run_certutil(
|
||||
['-A', '-t', 'CT,C,C', '-n', nick, '-a',
|
||||
'-i', chain_name]
|
||||
|
Reference in New Issue
Block a user