Add Subject Key Identifier to CA cert validity check

CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction.  Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.

When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.

Fixes: https://pagure.io/freeipa/issue/6976
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Fraser Tweedale 2017-05-25 15:42:58 +10:00 committed by Martin Basti
parent d73ec06cb3
commit bc6d499514

View File

@ -716,6 +716,12 @@ class NSSDatabase(object):
if not bc.value.ca:
raise ValueError("not a CA certificate")
try:
cert.extensions.get_extension_for_class(
cryptography.x509.SubjectKeyIdentifier)
except cryptography.x509.ExtensionNotFound:
raise ValueError("missing subject key identifier extension")
try:
self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
capture_output=True)