Fix CA cert validity check for CA-less and external CA installer options

https://fedorahosted.org/freeipa/ticket/4612

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Jan Cholasta 2014-10-07 18:16:53 +02:00 committed by Martin Kosek
parent 284792e7d8
commit fdc70e89e9

View File

@ -494,7 +494,12 @@ class NSSDatabase(object):
cert = nss.find_cert_from_nickname(nickname) cert = nss.find_cert_from_nickname(nickname)
if not cert.subject: if not cert.subject:
raise ValueError("has empty subject") raise ValueError("has empty subject")
if not cert.is_ca_cert(): try:
bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
except KeyError:
raise ValueError("missing basic constraints")
bc = nss.BasicConstraints(bc.value)
if not bc.is_ca:
raise ValueError("not a CA certificate") raise ValueError("not a CA certificate")
intended_usage = nss.certificateUsageSSLCA intended_usage = nss.certificateUsageSSLCA
try: try: