Dne 7.10.2014 v 18:22 Jan Cholasta napsal(a):
Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4612>.

Honza

Attached a patch with a proper fix.

--
Jan Cholasta
>From 97ce0324d02bb07fc1e012d9b0441bbef399449a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 7 Oct 2014 18:16:53 +0200
Subject: [PATCH] Fix CA cert validity check for CA-less and external CA
 installer options

https://fedorahosted.org/freeipa/ticket/4612
---
 ipapython/certdb.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4645b40..5a6e494 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -494,7 +494,12 @@ class NSSDatabase(object):
             cert = nss.find_cert_from_nickname(nickname)
             if not cert.subject:
                 raise ValueError("has empty subject")
-            if not cert.is_ca_cert():
+            try:
+                bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
+            except KeyError:
+                raise ValueError("missing basic constraints")
+            bc = nss.BasicConstraints(bc.value)
+            if not bc.is_ca:
                 raise ValueError("not a CA certificate")
             intended_usage = nss.certificateUsageSSLCA
             try:
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to