krainstance: set correct issuer DN in uid=ipakra entry

If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-10-04 13:30:37 +10:00 · 2019-10-04 13:30:37 +10:00 · 326d417d98
commit 326d417d98
parent 0fc8562b24
2 changed files with 9 additions and 5 deletions
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@ -16,7 +16,7 @@ from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import ipautil
 from ipapython.install.core import group
-from ipaserver.install import cainstance
+from ipaserver.install import ca, cainstance
 from ipaserver.install import krainstance
 from ipaserver.install import dsinstance
 from ipaserver.install import service as _service
@ -86,10 +86,13 @@ def install(api, replica_config, options, custodia):
        master_host = replica_config.kra_host_name
        promote = True
    ca_subject = ca.lookup_ca_subject(api, subject_base)
    kra = krainstance.KRAInstance(realm_name)
    kra.configure_instance(
        realm_name, host_name, dm_password, dm_password,
        subject_base=subject_base,
        ca_subject=ca_subject,
        pkcs12_info=pkcs12_info,
        master_host=master_host,
        promote=promote,
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@ -81,7 +81,7 @@ class KRAInstance(DogtagInstance):
    def configure_instance(self, realm_name, host_name, dm_password,
                           admin_password, pkcs12_info=None, master_host=None,
-                           subject_base=None, subject=None,
+                           subject_base=None, ca_subject=None,
                           promote=False, pki_config_override=None):
        """Create a KRA instance.
@ -99,8 +99,9 @@ class KRAInstance(DogtagInstance):
        self.subject_base = \
            subject_base or installutils.default_subject_base(realm_name)
-        self.subject = \
+
-            subject or installutils.default_ca_subject_dn(self.subject_base)
+        # eagerly convert to DN to ensure validity
        self.ca_subject = DN(ca_subject)
        self.realm = realm_name
        self.suffix = ipautil.realm_to_suffix(realm_name)
@ -258,7 +259,7 @@ class KRAInstance(DogtagInstance):
            userCertificate=[cert],
            description=['2;%s;%s;%s' % (
                cert.serial_number,
-                DN(self.subject),
+                self.ca_subject,
                DN(('CN', 'IPA RA'), self.subject_base))])
        conn.add_entry(entry)