mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Add Subject Key Identifier to CA cert validity check
CA certificates MUST have the Subject Key Identifier extension to facilitiate certification path construction. Not having this extension on the IPA CA certificate will cause failures in Dogtag during signing; it tries to copy the CA's Subject Key Identifier to the new certificate's Authority Key Identifier extension, which fails. When installing an externally-signed CA, check that the Subject Key Identifier extension is present in the CA certificate. Fixes: https://pagure.io/freeipa/issue/6976 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
parent
d73ec06cb3
commit
bc6d499514
@ -716,6 +716,12 @@ class NSSDatabase(object):
|
|||||||
if not bc.value.ca:
|
if not bc.value.ca:
|
||||||
raise ValueError("not a CA certificate")
|
raise ValueError("not a CA certificate")
|
||||||
|
|
||||||
|
try:
|
||||||
|
cert.extensions.get_extension_for_class(
|
||||||
|
cryptography.x509.SubjectKeyIdentifier)
|
||||||
|
except cryptography.x509.ExtensionNotFound:
|
||||||
|
raise ValueError("missing subject key identifier extension")
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
|
self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
|
||||||
capture_output=True)
|
capture_output=True)
|
||||||
|
Loading…
Reference in New Issue
Block a user