On 12/02/2014 01:45 PM, Jan Cholasta wrote: > Hi, > > Dne 2.12.2014 v 13:16 Tomas Babej napsal(a): >> Hi, >> >> For CA certificates that are not certificates of IPA CA, we incorrectly >> set the trust flags to ",,", regardless what the actual trust_flags >> parameter was passed. >> >> Make the load_cacert method respect trust_flags and make "C,," default >> set of trust flags. > > For unknown CA certificates, you must keep the default ",," and > explicitly override it where necessary. We don't want to trust *any* > CA certificate to issue server certs. > >> >> https://fedorahosted.org/freeipa/ticket/4779 > > Honza
Updated patch attached. However, this boils down to the same, so there is really no functional difference between the two versions of the patches in the current code base. All places where load_cacert is called, the trust flags are explicitly overriden. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org
>From 55b5f82445c9e0ce45a8c8587fcb7d5c6c5c07b0 Mon Sep 17 00:00:00 2001 From: Tomas Babej <[email protected]> Date: Tue, 2 Dec 2014 13:13:51 +0100 Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert For CA certificates that are not certificates of IPA CA, we incorrectly set the trust flags to ",,", regardless what the actual trust_flags parameter was passed. Make the load_cacert method respect trust_flags and make "C,," default set of trust flags. https://fedorahosted.org/freeipa/ticket/4779 --- ipaserver/install/certs.py | 6 +++--- ipaserver/install/dsinstance.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..6c1537b9c1aff58c56c1d10ada2dfa5deba631ca 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -238,7 +238,7 @@ class CertDB(object): "-k", self.passwd_fname]) self.set_perms(self.pk12_fname) - def load_cacert(self, cacert_fname, trust_flags='C,,'): + def load_cacert(self, cacert_fname, trust_flags=None): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. @@ -255,10 +255,10 @@ class CertDB(object): (rdn, subject_dn) = get_cert_nickname(cert) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) - tf = trust_flags + tf = trust_flags or 'C,,' else: nick = str(subject_dn) - tf = ',,' + tf = trust_flags or ',,' self.nssdb.add_cert(cert, nick, tf, pem=True) except RuntimeError: break diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 06c13c21dd3a5ea1e15c0a797a48fd6af02c1bdf..2ca09e7e32cd423ff90c41ad6309fcf0dd099a82 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -840,7 +840,7 @@ class DsInstance(service.Service): certdb.cacert_name = cacert_name status = True try: - certdb.load_cacert(cacert_fname) + certdb.load_cacert(cacert_fname, trust_flags="C,,") except ipautil.CalledProcessError, e: root_logger.critical("Error importing CA cert file named [%s]: %s" % (cacert_fname, str(e))) -- 1.9.3
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
