Do stricter validation of CA certificates

Every CA certificate must have non-empty subject and basic constraints extension with the CA flag set. https://fedorahosted.org/freeipa/ticket/4477 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-09-29 16:22:30 +02:00
parent 3cde7e9cfd
commit 83cbfa8eae
2 changed files with 15 additions and 4 deletions
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -490,6 +490,10 @@ class NSSDatabase(object):
        try:
            certdb = nss.get_default_certdb()
            cert = nss.find_cert_from_nickname(nickname)
+            if not cert.subject:
+                raise ValueError("has empty subject")
+            if not cert.is_ca_cert():
+                raise ValueError("not a CA certificate")
            intended_usage = nss.certificateUsageSSLCA
            try:
                approved_usage = cert.verify_now(certdb, True, intended_usage)
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -215,8 +215,6 @@ class CACertManage(admintool.AdminTool):
            #pylint: enable=E1101

            nss_cert = x509.load_certificate_from_file(cert_file.name)
-            if not nss_cert.is_ca_cert():
-                raise admintool.ScriptError("Not a CA certificate")
            if nss_cert.subject != subject:
                raise admintool.ScriptError("Subject name mismatch")
            #pylint: disable=E1101
@@ -319,8 +317,6 @@ class CACertManage(admintool.AdminTool):
                    "Can't open \"%s\": %s" % (cert_filename, e))
            except (TypeError, NSPRError), e:
                raise admintool.ScriptError("Not a valid certificate: %s" % e)
-            if not nss_cert.is_ca_cert():
-                raise admintool.ScriptError("Not a CA certificate")
            subject = nss_cert.subject
            cert = nss_cert.der_data
        finally:
@@ -328,6 +324,17 @@ class CACertManage(admintool.AdminTool):

        nickname = options.nickname or str(subject)

+        with certs.NSSDatabase() as tmpdb:
+            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
+            tmpdb.create_db(pw.name)
+            tmpdb.add_cert(cert, nickname, 'C,,')
+
+            try:
+                tmpdb.verify_ca_cert_validity(nickname)
+            except ValueError, e:
+                raise admintool.ScriptError(
+                    "Not a valid CA certificate: %s" % e)
+
        trust_flags = options.trust_flags
        if ((set(trust_flags) - set(',CPTcgpuw')) or
            len(trust_flags.split(',')) != 3):