ipa upgrade: handle double-encoded certificates

Issue is linked to the ticket #3477 LDAP upload CA cert sometimes double-encodes the value In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN. The fix for 3477 is only partial as it prevents double-encoding when a new cert is uploaded but does not fix wrong values already present in LDAP. With this commit, the code first tries to read a der cert. If it fails, it logs a debug message and re-writes the value caCertificate;binary to repair the entry. Fixes https://pagure.io/freeipa/issue/7775 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-01-26 16:16:31 -06:00 · 2018-11-26 14:15:12 +01:00 · 2018-11-26 14:15:12 +01:00 · 800f2690f5
commit 800f2690f5
parent 25cfeea769
1 changed files with 12 additions and 1 deletions
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@ -115,7 +115,18 @@ class update_upload_cacrt(Updater):
                entry.single_value['cACertificate;binary'] = ca_cert
                ldap.add_entry(entry)
            else:
-                if b'' in entry['cACertificate;binary']:
+                force_write = False
+                try:
+                    _cert_bin = entry['cACertificate;binary']
+                except ValueError:
+                    # BZ 1644874
+                    # sometimes the cert is badly stored, twice encoded
+                    # force write to fix the value
+                    logger.debug('Fixing the value of cACertificate;binary '
+                                 'in entry %s', entry.dn)
+                    force_write = True
+
+                if force_write or b'' in entry['cACertificate;binary']:
                    entry.single_value['cACertificate;binary'] = ca_cert
                    ldap.update_entry(entry)