On 12/02/2014 01:45 PM, Jan Cholasta wrote:
> Hi,
>
> Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
>> Hi,
>>
>> For CA certificates that are not certificates of IPA CA, we incorrectly
>> set the trust flags to ",,", regardless what the actual trust_flags
>> parameter was passed.
>>
>> Make the load_cacert method respect trust_flags and make "C,," default
>> set of trust flags.
>
> For unknown CA certificates, you must keep the default ",," and
> explicitly override it where necessary. We don't want to trust *any*
> CA certificate to issue server certs.
>
>>
>> https://fedorahosted.org/freeipa/ticket/4779
>
> Honza

Updated patch attached.

However, this boils down to the same, so there is really no functional
difference between the two versions of the patches in the current code
base. All places where load_cacert is called, the trust flags are
explicitly overriden.

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

>From 55b5f82445c9e0ce45a8c8587fcb7d5c6c5c07b0 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 2 Dec 2014 13:13:51 +0100
Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.

https://fedorahosted.org/freeipa/ticket/4779
---
 ipaserver/install/certs.py      | 6 +++---
 ipaserver/install/dsinstance.py | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..6c1537b9c1aff58c56c1d10ada2dfa5deba631ca 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -238,7 +238,7 @@ class CertDB(object):
                          "-k", self.passwd_fname])
             self.set_perms(self.pk12_fname)
 
-    def load_cacert(self, cacert_fname, trust_flags='C,,'):
+    def load_cacert(self, cacert_fname, trust_flags=None):
         """
         Load all the certificates from a given file. It is assumed that
         this file creates CA certificates.
@@ -255,10 +255,10 @@ class CertDB(object):
                 (rdn, subject_dn) = get_cert_nickname(cert)
                 if subject_dn == ca_dn:
                     nick = get_ca_nickname(self.realm)
-                    tf = trust_flags
+                    tf = trust_flags or 'C,,'
                 else:
                     nick = str(subject_dn)
-                    tf = ',,'
+                    tf = trust_flags or ',,'
                 self.nssdb.add_cert(cert, nick, tf, pem=True)
             except RuntimeError:
                 break
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 06c13c21dd3a5ea1e15c0a797a48fd6af02c1bdf..2ca09e7e32cd423ff90c41ad6309fcf0dd099a82 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -840,7 +840,7 @@ class DsInstance(service.Service):
         certdb.cacert_name = cacert_name
         status = True
         try:
-            certdb.load_cacert(cacert_fname)
+            certdb.load_cacert(cacert_fname, trust_flags="C,,")
         except ipautil.CalledProcessError, e:
             root_logger.critical("Error importing CA cert file named [%s]: %s" %
                                          (cacert_fname, str(e)))
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to