Require nss with fix for nickname bug

nss 3.36.1-1.1 addresses a bug in the shared SQL database layer. A nicknames
of certificates are no longer changed when a certificate is imported
multiple times under different name.

Partly revert commit ad2eb3d09b with fix
for https://pagure.io/freeipa/issue/7498. The root cause for the bug has
been addressed by the NSS release.

See: https://pagure.io/freeipa/issue/7516
See: https://pagure.io/freeipa/issue/7498
See: https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Christian Heimes 2018-04-30 08:25:23 +02:00
parent 648d7c0d38
commit 880d9b4134
2 changed files with 12 additions and 19 deletions

View File

@ -96,7 +96,11 @@
%endif
# Require Dogtag PKI 10.6.0 with Python 3 and SQL NSSDB fixes
%global pki_version 10.6.0-1
%global pki_version 10.6.0-1.2
# NSS release with fix for CKA_LABEL import bug in shared SQL database.
# https://bugzilla.redhat.com/show_bug.cgi?id=1568271
%global nss_version 3.36.1-1.1
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
@ -157,7 +161,7 @@ BuildRequires: systemd
# systemd-tmpfiles which is executed from make install requires apache user
BuildRequires: httpd
BuildRequires: nspr-devel
BuildRequires: nss-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: openssl-devel
BuildRequires: libini_config-devel
BuildRequires: cyrus-sasl-devel
@ -338,8 +342,8 @@ Requires: python2-ldap >= %{python2_ldap_version}
%endif
Requires: 389-ds-base >= %{ds_version}
Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
Requires: nss >= %{nss_version}
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
Requires: krb5-pkinit-openssl >= %{krb5_version}
@ -604,7 +608,7 @@ Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
Requires: sssd >= 1.14.0
Requires: certmonger >= 0.79.5-1
Requires: nss-tools
Requires: nss-tools >= %{nss_version}
Requires: bind-utils
Requires: oddjob-mkhomedir
Requires: libsss_autofs

View File

@ -5,15 +5,13 @@ from __future__ import print_function, absolute_import
import enum
import logging
from ipalib import api
from ipalib.install.certstore import get_ca_certs_nss
from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
from ipaserver.install.service import SimpleServiceInstance
from ipapython import ipautil
from ipapython.certdb import NSSDatabase, get_ca_nickname
from ipapython.certdb import NSSDatabase
from ipaserver.install import installutils
from ipaserver.install import ldapupdate
from ipaserver.install import sysupgrade
@ -277,17 +275,8 @@ class CustodiaInstance(SimpleServiceInstance):
'-w', pk12pwfile
])
# Add CA certificates, but don't import the main CA cert. It's
# already present as 'caSigningCert cert-pki-ca'. With SQL db
# format, a second import would rename the certificate. See
# https://pagure.io/freeipa/issue/7498 for more details.
conn = api.Backend.ldap2
suffix = ipautil.realm_to_suffix(self.realm)
ca_certs = get_ca_certs_nss(conn, suffix, self.realm, True)
for cert, nickname, trust_flags in ca_certs:
if nickname == get_ca_nickname(self.realm):
continue
tmpdb.add_cert(cert, nickname, trust_flags)
# Add CA certificates
self.export_ca_certs_nssdb(tmpdb, True)
# Now that we gathered all certs, re-export
ipautil.run([