mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
61e1d7a83b
When verifying a CA certificate, validate its signature. This causes FreeIPA to reject certificate chains with bad signatures, signatures using unacceptable algorithms, or certificates with unacceptable key sizes. The '-e' option to 'certutil -V' was the missing ingredient. An an example of a problem prevented by this change, a certifiate signed by a 1024-bit intermediate CA, would previously have been imported by ipa-cacert-manage, but would cause Dogtag startup failure due to failing self-test. With this change, ipa-cacert-manage will reject the certificate: # ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7 Importing the renewed CA certificate, please wait CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455 in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure. Fixes: https://pagure.io/freeipa/issue/7761 Reviewed-By: Christian Heimes <cheimes@redhat.com> |
||
---|---|---|
.. | ||
install | ||
__init__.py | ||
admintool.py | ||
certdb.py | ||
config.py | ||
cookie.py | ||
directivesetter.py | ||
dn.py | ||
dnsutil.py | ||
dogtag.py | ||
errors.py | ||
graph.py | ||
ipa_log_manager.py | ||
ipaldap.py | ||
ipautil.py | ||
ipavalidate.py | ||
kerberos.py | ||
kernel_keyring.py | ||
Makefile.am | ||
nsslib.py | ||
README | ||
session_storage.py | ||
setup.cfg | ||
setup.py | ||
ssh.py | ||
version.py.in |
This is a set of libraries common to IPA clients and servers though mostly geared currently towards command-line tools. A brief overview: config.py - identify the IPA server domain and realm. It uses python-dns to try to detect this information first and will fall back to /etc/ipa/default.conf if that fails. ipautil.py - helper functions entity.py - entity is the main data type. User and Group extend this class (but don't add anything currently). ipavalidate.py - basic data validation routines