freeipa/ipapython
Fraser Tweedale 61e1d7a83b certdb: validate certificate signatures
When verifying a CA certificate, validate its signature.  This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes.  The '-e' option to 'certutil -V' was the
missing ingredient.

An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test.  With this change,
ipa-cacert-manage will reject the certificate:

  # ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
  Importing the renewed CA certificate, please wait
  CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
  in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
  certificate was signed using a signature algorithm that is
  disabled because it is not secure.

Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 14:19:18 +01:00
..
install Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
__init__.py Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
admintool.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
certdb.py certdb: validate certificate signatures 2018-11-13 14:19:18 +01:00
config.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
cookie.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
directivesetter.py Py3: Replace six.text_type with str 2018-09-27 16:11:18 +02:00
dn.py Py3: Replace six.text_type with str 2018-09-27 16:11:18 +02:00
dnsutil.py Py3: Replace six.string_types with str 2018-09-27 16:11:18 +02:00
dogtag.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
errors.py Replace StandardError with Exception 2015-09-30 10:51:36 +02:00
graph.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
ipa_log_manager.py Py3: Replace six.string_types with str 2018-09-27 16:11:18 +02:00
ipaldap.py ipaldap: avoid invalid modlist when attribute encoding differs 2018-11-06 10:59:06 +01:00
ipautil.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
ipavalidate.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
kerberos.py Py3: Replace six.bytes_type with bytes 2018-09-27 16:11:18 +02:00
kernel_keyring.py Py3: Replace six.string_types with str 2018-09-27 16:11:18 +02:00
Makefile.am ipapython: fix DEFAULT_PLUGINS in version.py 2017-03-09 18:39:48 +01:00
nsslib.py Remove ipapython.nsslib as it is not used anymore 2017-03-01 09:43:41 +00:00
README Replace DNS client based on acutil with python-dns 2012-05-24 13:55:56 +02:00
session_storage.py Fix pylint warnings inconsistent-return-statements 2017-12-18 11:51:14 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Remove Python 2 support and packages 2018-09-06 17:39:00 +02:00
ssh.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
version.py.in ipapython: fix DEFAULT_PLUGINS in version.py 2017-03-09 18:39:48 +01:00

This is a set of libraries common to IPA clients and servers though mostly
geared currently towards command-line tools.

A brief overview:

config.py - identify the IPA server domain and realm. It uses python-dns to
            try to detect this information first and will fall back to
            /etc/ipa/default.conf if that fails.

ipautil.py - helper functions

entity.py - entity is the main data type. User and Group extend this class
            (but don't add anything currently).

ipavalidate.py - basic data validation routines