mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Fix CA cert validity check for CA-less and external CA installer options
https://fedorahosted.org/freeipa/ticket/4612 Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
parent
284792e7d8
commit
fdc70e89e9
@ -494,7 +494,12 @@ class NSSDatabase(object):
|
|||||||
cert = nss.find_cert_from_nickname(nickname)
|
cert = nss.find_cert_from_nickname(nickname)
|
||||||
if not cert.subject:
|
if not cert.subject:
|
||||||
raise ValueError("has empty subject")
|
raise ValueError("has empty subject")
|
||||||
if not cert.is_ca_cert():
|
try:
|
||||||
|
bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
|
||||||
|
except KeyError:
|
||||||
|
raise ValueError("missing basic constraints")
|
||||||
|
bc = nss.BasicConstraints(bc.value)
|
||||||
|
if not bc.is_ca:
|
||||||
raise ValueError("not a CA certificate")
|
raise ValueError("not a CA certificate")
|
||||||
intended_usage = nss.certificateUsageSSLCA
|
intended_usage = nss.certificateUsageSSLCA
|
||||||
try:
|
try:
|
||||||
|
Loading…
Reference in New Issue
Block a user