URL: https://github.com/freeipa/freeipa/pull/2556 Author: tiran Title: #2556: certdb: validate server cert signature Action: opened
PR body: """ PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA cert validation. Let's also verify signature, key size, and signing algorithm of server certs. With the '-e' option, the installer and other tools will catch weak certs early. Fixes: pagure.io/freeipa/issue/7761 Signed-off-by: Christian Heimes <[email protected]> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2556/head:pr2556 git checkout pr2556
From 30db820afd7a5c089445363d964ee541bba994f5 Mon Sep 17 00:00:00 2001 From: Christian Heimes <[email protected]> Date: Tue, 13 Nov 2018 12:21:21 +0100 Subject: [PATCH] certdb: validate server cert signature PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA cert validation. Let's also verify signature, key size, and signing algorithm of server certs. With the '-e' option, the installer and other tools will catch weak certs early. Fixes: pagure.io/freeipa/issue/7761 Signed-off-by: Christian Heimes <[email protected]> --- ipapython/certdb.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index ba7d0afe5e..623a282308 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -896,8 +896,15 @@ def verify_server_cert_validity(self, nickname, hostname): cert = self.get_cert(nickname) try: - self.run_certutil(['-V', '-n', nickname, '-u', 'V'], - capture_output=True) + self.run_certutil( + [ + '-V', # check validity of cert and attrs + '-n', nickname, + '-u', 'V', # usage; 'V' means "SSL server" + '-e', # check signature(s); this checks + # key sizes, sig algorithm, etc. + ], + capture_output=True) except ipautil.CalledProcessError as e: # certutil output in case of error is # 'certutil: certificate is invalid: <ERROR_STRING>\n'
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
