mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
certdb: validate certificate signatures
When verifying a CA certificate, validate its signature. This causes FreeIPA to reject certificate chains with bad signatures, signatures using unacceptable algorithms, or certificates with unacceptable key sizes. The '-e' option to 'certutil -V' was the missing ingredient. An an example of a problem prevented by this change, a certifiate signed by a 1024-bit intermediate CA, would previously have been imported by ipa-cacert-manage, but would cause Dogtag startup failure due to failing self-test. With this change, ipa-cacert-manage will reject the certificate: # ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7 Importing the renewed CA certificate, please wait CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455 in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure. Fixes: https://pagure.io/freeipa/issue/7761 Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
parent
a2a293ed2f
commit
61e1d7a83b
@ -933,7 +933,14 @@ class NSSDatabase:
|
||||
raise ValueError("subject key identifier must not be empty")
|
||||
|
||||
try:
|
||||
self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
|
||||
self.run_certutil(
|
||||
[
|
||||
'-V', # check validity of cert and attrs
|
||||
'-n', nickname,
|
||||
'-u', 'L', # usage; 'L' means "SSL CA"
|
||||
'-e', # check signature(s); this checks
|
||||
# key sizes, sig algorithm, etc.
|
||||
],
|
||||
capture_output=True)
|
||||
except ipautil.CalledProcessError as e:
|
||||
# certutil output in case of error is
|
||||
|
Loading…
Reference in New Issue
Block a user