IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Check trust chain length in CA-less install.

Browse Source 
https://fedorahosted.org/freeipa/ticket/3707
This commit is contained in:
Jan Cholasta 2013-06-18 08:57:12 +00:00 committed by Alexander Bokovoy
parent ec75348354
commit ab96ca7831
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ipaserver/install/installutils.py
View File

@ -739,13 +739,20 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
[(server_cert_name, server_cert_trust)] = server_certs [(server_cert_name, server_cert_trust)] = server_certs
# Check we have the whole cert chain & the CA is in it # Check we have the whole cert chain & the CA is in it
for cert_name in nssdb.get_trust_chain(server_cert_name): trust_chain = nssdb.get_trust_chain(server_cert_name)
if cert_name == ca_cert_name: while trust_chain:
if trust_chain[0] == ca_cert_name:
break break
trust_chain = trust_chain[1:]
else: else:
raise ScriptError( raise ScriptError(
'%s is not signed by %s, or the full certificate chain is not ' '%s is not signed by %s, or the full certificate chain is not '
'present in the PKCS#12 file' % (pkcs12_filename, ca_file)) 'present in the PKCS#12 file' % (pkcs12_filename, ca_file))
if len(trust_chain) != 2:
raise ScriptError(
'trust chain of the server certificate in %s contains %s '
'certificates, expected 2' %
(pkcs12_filename, len(trust_chain)))
# Check server validity # Check server validity
try: try: