URL: https://github.com/freeipa/freeipa/pull/963
Author: rcritten
 Title: #963: Include the CA basic constraint in CSRs when renewing a CA
Action: opened

PR body:
"""
The CSR generated by `ipa-cacert-manage renew --external-ca` did
not include the CA basic constraint:

  X509v3 Basic Constraints: critical
      CA:TRUE

Add a flag to certmonger::resubmit_request to specify that a
CA is being requested.

Note that this also sets pathlen to -1 which means an unlimited
pathlen. Leave it up to the issuing CA to set this.

https://pagure.io/freeipa/issue/7088
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/963/head:pr963
git checkout pr963
From fb672013196f465ff42a155420f4ff92742dafa0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 9 Aug 2017 17:28:35 -0400
Subject: [PATCH] Include the CA basic constraint in CSRs when renewing a CA

The CSR generated by `ipa-cacert-manage renew --external-ca` did
not include the CA basic constraint:

  X509v3 Basic Constraints: critical
      CA:TRUE

Add a flag to certmonger::resubmit_request to specify that a
CA is being requested.

Note that this also sets pathlen to -1 which means an unlimited
pathlen. Leave it up to the issuing CA to set this.

https://pagure.io/freeipa/issue/7088
---
 ipalib/install/certmonger.py           | 13 +++++++++++--
 ipaserver/install/ipa_cacert_manage.py |  3 ++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index 13c68894d6..7ceeee3f16 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -519,16 +519,25 @@ def modify(request_id, ca=None, profile=None):
         request.obj_if.modify(update)
 
 
-def resubmit_request(request_id, ca=None, profile=None):
+def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
+    """
+    :param request_id: the certmonger numeric request ID
+    :param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign
+    :param profile: the dogtag template profile to use, e.g. SubCA
+    :param is_ca: boolean that if True adds the CA basic constraint
+    """
     request = _get_request({'nickname': request_id})
     if request:
-        if ca or profile:
+        if ca or profile or is_ca:
             update = {}
             if ca is not None:
                 cm = _certmonger()
                 update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
             if profile is not None:
                 update['template-profile'] = profile
+            if is_ca:
+                update['template-is-ca'] = True
+                update['template-ca-path-length'] = -1  # no path length
             request.obj_if.modify(update)
         request.obj_if.resubmit()
 
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 24ef86fe1d..86243d342b 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -303,7 +303,8 @@ def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent', profile=''):
         timeout = api.env.startup_timeout + 60
 
         logger.debug("resubmitting certmonger request '%s'", self.request_id)
-        certmonger.resubmit_request(self.request_id, ca=ca, profile=profile)
+        certmonger.resubmit_request(self.request_id, ca=ca, profile=profile,
+                                    is_ca=True)
         try:
             state = certmonger.wait_for_request(self.request_id, timeout)
         except RuntimeError:
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to