freeipa/ipapython
Florence Blanc-Renaud 64d187e56e NSSDatabase: fix get_trust_chain
In the get_trust_chain method, use certutil -O with the option
--simple-self-signed to make sure that self-signed certs properly
get processed.
Note: this option has been introduced in nss 3.38 and our spec file
already requires nss >= 3.41.

Scenario: when IPA CA is switched from self-signed to externally-signed,
then back to self-signed, the same nickname can be used in
/etc/pki/pki-tomcat/alias for the initial cert and the renewed certs. If
the original and renewed certs are present in the NSS db, running
$ certutil -O -n <IPA CA alias>
produces a complex output like the following (this command is used to find
the trust chain):
"CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]

  "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

    "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

The renewal code is disturbed by this output.
If, on the contrary, certutil -O --simple-self-signed -n <IPA CA alias> is
used to extract the trust chain, the output is as expected for a self-signed
cert:
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

As a result, the scenario self-signed > externally signed > self-signed
works.

Fixes: https://pagure.io/freeipa/issue/7926
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-24 17:18:56 -04:00
..
install Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
__init__.py Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
admintool.py pylint 2.2: Fix unnecessary pass statement 2018-11-26 16:54:43 +01:00
certdb.py NSSDatabase: fix get_trust_chain 2019-05-24 17:18:56 -04:00
config.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
cookie.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
directivesetter.py Py3: Replace six.text_type with str 2018-09-27 16:11:18 +02:00
dn_ctypes.py Load libldap_r-*.so.2 2019-05-14 12:27:55 +02:00
dn.py Make python-ldap optional for PyPI packages 2019-04-26 12:53:23 +02:00
dnsutil.py Py3: Replace six.string_types with str 2018-09-27 16:11:18 +02:00
dogtag.py Send only the path and not the full URI to httplib.request 2019-03-19 11:00:43 -04:00
errors.py Replace StandardError with Exception 2015-09-30 10:51:36 +02:00
graph.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
ipa_log_manager.py Remove deprecated object logger 2019-04-23 12:55:35 +02:00
ipaldap.py Revert "Require a minimum SASL security factor of 56" 2019-05-02 11:39:23 +02:00
ipautil.py Make netifaces optional 2019-04-09 11:28:37 +02:00
ipavalidate.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
kerberos.py Py3: Replace six.bytes_type with bytes 2018-09-27 16:11:18 +02:00
kernel_keyring.py Don't configure KEYRING ccache in containers 2019-01-18 11:33:11 +01:00
Makefile.am ipapython: fix DEFAULT_PLUGINS in version.py 2017-03-09 18:39:48 +01:00
nsslib.py Remove ipapython.nsslib as it is not used anymore 2017-03-01 09:43:41 +00:00
README Replace DNS client based on acutil with python-dns 2012-05-24 13:55:56 +02:00
session_storage.py Fix pylint warnings inconsistent-return-statements 2017-12-18 11:51:14 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Make python-ldap optional for PyPI packages 2019-04-26 12:53:23 +02:00
ssh.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
version.py.in ipapython: fix DEFAULT_PLUGINS in version.py 2017-03-09 18:39:48 +01:00

This is a set of libraries common to IPA clients and servers though mostly
geared currently towards command-line tools.

A brief overview:

config.py - identify the IPA server domain and realm. It uses python-dns to
            try to detect this information first and will fall back to
            /etc/ipa/default.conf if that fails.

ipautil.py - helper functions

entity.py - entity is the main data type. User and Group extend this class
            (but don't add anything currently).

ipavalidate.py - basic data validation routines