URL: https://github.com/freeipa/freeipa/pull/1094
Author: stlaz
 Title: #1094: [Backport][ipa-4-6] Don't write p11-kit EKU extension object if 
no EKU
Action: opened

PR body:
This PR was opened automatically because PR #1090 was pushed to master and 
backport to ipa-4-6 is required.

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1094/head:pr1094
git checkout pr1094
From d0a93d4b61d770bfcfe4f37d808d643928e5d11c Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Mon, 18 Sep 2017 16:28:10 +0200
Subject: [PATCH] Don't write p11-kit EKU extension object if no EKU

b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.

 ipalib/x509.py              | 5 ++++-
 ipaplatform/redhat/tasks.py | 5 +++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 857245aa31..0b3a423ce3 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -295,8 +295,11 @@ def extended_key_usage(self):
     def extended_key_usage_bytes(self):
+        eku = self.extended_key_usage
+        if eku is None:
+            return
         ekurfc = rfc2459.ExtKeyUsageSyntax()
-        eku = self.extended_key_usage or {EKU_PLACEHOLDER}
         for i, oid in enumerate(eku):
             ekurfc[i] = univ.ObjectIdentifier(oid)
         ekurfc = encoder.encode(ekurfc)
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 99f04353c3..e3bb1271e6 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -257,7 +257,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
         has_eku = set()
-        for cert, nickname, trusted, ext_key_usage in ca_certs:
+        for cert, nickname, trusted, _ext_key_usage in ca_certs:
                 subject = cert.subject_bytes
                 issuer = cert.issuer_bytes
@@ -296,7 +296,8 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
-            if ext_key_usage is not None and public_key_info not in has_eku:
+            if (cert.extended_key_usage is not None and
+                    public_key_info not in has_eku):
                     ext_key_usage = cert.extended_key_usage_bytes
                 except PyAsn1Error as e:
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to