IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add Subject Key Identifier to CA cert validity check

Browse Source 
CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction.  Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.

When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.

Fixes: https://pagure.io/freeipa/issue/6976
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Fraser Tweedale 2017-05-25 15:42:58 +10:00 committed by Martin Basti
parent d73ec06cb3
commit bc6d499514
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ipapython/certdb.py
View File

@ -716,6 +716,12 @@ class NSSDatabase(object):
if not bc.value.ca: if not bc.value.ca:
raise ValueError("not a CA certificate") raise ValueError("not a CA certificate")
try:
cert.extensions.get_extension_for_class(
cryptography.x509.SubjectKeyIdentifier)
except cryptography.x509.ExtensionNotFound:
raise ValueError("missing subject key identifier extension")
try: try:
self.run_certutil(['-V', '-n', nickname, '-u', 'L'], self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
capture_output=True) capture_output=True)