Fix CA cert validity check for CA-less and external CA installer options

https://fedorahosted.org/freeipa/ticket/4612 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2024-12-23 07:33:27 -06:00 · 2014-10-07 18:16:53 +02:00 · 2014-10-07 18:16:53 +02:00 · fdc70e89e9
commit fdc70e89e9
parent 284792e7d8
1 changed files with 6 additions and 1 deletions
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@ -494,7 +494,12 @@ class NSSDatabase(object):
            cert = nss.find_cert_from_nickname(nickname)
            if not cert.subject:
                raise ValueError("has empty subject")
-            if not cert.is_ca_cert():
+            try:
+                bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
+            except KeyError:
+                raise ValueError("missing basic constraints")
+            bc = nss.BasicConstraints(bc.value)
+            if not bc.is_ca:
                raise ValueError("not a CA certificate")
            intended_usage = nss.certificateUsageSSLCA
            try: