URL: https://github.com/freeipa/freeipa/pull/2554 Author: frasertweedale Title: #2554: certdb: validate certificate signatures Action: opened
PR body: """ When verifying a CA certificate, validate its signature. This causes FreeIPA to reject certificate chains with bad signatures, signatures using unacceptable algorithms, or certificates with unacceptable key sizes. The '-e' option to 'certutil -V' was the missing ingredient. An an example of a problem prevented by this change, a certifiate signed by a 1024-bit intermediate CA, would previously have been imported by ipa-cacert-manage, but would cause Dogtag startup failure due to failing self-test. With this change, ipa-cacert-manage will reject the certificate: \# ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7 Importing the renewed CA certificate, please wait CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455 in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure. Fixes: https://pagure.io/freeipa/issue/7761 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2554/head:pr2554 git checkout pr2554
From 73df562bb5e1d89cb7f5cb14c76b58072ca985f0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <[email protected]> Date: Tue, 13 Nov 2018 14:29:15 +1100 Subject: [PATCH 1/2] Print correct subject on CA cert verification failure In load_external_cert(), if verification fails for a certificate in the trust chain, the error message contains the last subject name from a previous iteration of the trust chain, instead of the subject name of the current certificate. To report the correct subject, look it up using the current nickname. Part of: https://pagure.io/freeipa/issue/7761 --- ipaserver/install/installutils.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 8ce6b52962..b0e8f93bf4 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -1043,6 +1043,7 @@ def load_external_cert(files, ca_subject): try: nssdb.verify_ca_cert_validity(nickname) except ValueError as e: + cert, subject, issuer = cache[nickname] raise ScriptError( "CA certificate %s in %s is not valid: %s" % (subject, ", ".join(files), e)) From 8ecb33ef8b6041b2f56915b4ea3f7cef08368993 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <[email protected]> Date: Tue, 13 Nov 2018 15:49:49 +1100 Subject: [PATCH 2/2] certdb: validate certificate signatures When verifying a CA certificate, validate its signature. This causes FreeIPA to reject certificate chains with bad signatures, signatures using unacceptable algorithms, or certificates with unacceptable key sizes. The '-e' option to 'certutil -V' was the missing ingredient. An an example of a problem prevented by this change, a certifiate signed by a 1024-bit intermediate CA, would previously have been imported by ipa-cacert-manage, but would cause Dogtag startup failure due to failing self-test. With this change, ipa-cacert-manage will reject the certificate: # ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7 Importing the renewed CA certificate, please wait CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455 in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure. Fixes: https://pagure.io/freeipa/issue/7761 --- ipapython/certdb.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index ba7d0afe5e..b84d7d3b79 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -933,8 +933,15 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("subject key identifier must not be empty") try: - self.run_certutil(['-V', '-n', nickname, '-u', 'L'], - capture_output=True) + self.run_certutil( + [ + '-V', # check validity of cert and attrs + '-n', nickname, + '-u', 'L', # usage; 'L' means "SSL CA" + '-e', # check signature(s); this checks + # key sizes, sig algorithm, etc. + ], + capture_output=True) except ipautil.CalledProcessError as e: # certutil output in case of error is # 'certutil: certificate is invalid: <ERROR_STRING>\n'
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
