From bc6d4995144505c45a62320c71f503b54f68a962 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 25 May 2017 15:42:58 +1000
Subject: [PATCH] Add Subject Key Identifier to CA cert validity check

CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction.  Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.

When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.

Fixes: https://pagure.io/freeipa/issue/6976
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipapython/certdb.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index fa6995d3d..8c5382191 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -716,6 +716,12 @@ class NSSDatabase(object):
         if not bc.value.ca:
             raise ValueError("not a CA certificate")
 
+        try:
+            cert.extensions.get_extension_for_class(
+                    cryptography.x509.SubjectKeyIdentifier)
+        except cryptography.x509.ExtensionNotFound:
+            raise ValueError("missing subject key identifier extension")
+
         try:
             self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
                               capture_output=True)