On 12/02/2014 02:02 PM, Jan Cholasta wrote:
> Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):
>>
>> On 12/02/2014 01:45 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
>>>> Hi,
>>>>
>>>> For CA certificates that are not certificates of IPA CA, we
>>>> incorrectly
>>>> set the trust flags to ",,", regardless what the actual trust_flags
>>>> parameter was passed.
>>>>
>>>> Make the load_cacert method respect trust_flags and make "C,," default
>>>> set of trust flags.
>>>
>>> For unknown CA certificates, you must keep the default ",," and
>>> explicitly override it where necessary. We don't want to trust *any*
>>> CA certificate to issue server certs.
>>>
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4779
>>>
>>> Honza
>>
>> Updated patch attached.
>>
>> However, this boils down to the same, so there is really no functional
>> difference between the two versions of the patches in the current code
>> base. All places where load_cacert is called, the trust flags are
>> explicitly overriden.
>>
>
> OK, then we don't need a default value at all.
>

Updated patch makes trust_flags a required argument of load_cacert.

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

>From a087bda498e10b1e923f2882522b42fa7d8f8239 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 2 Dec 2014 13:13:51 +0100
Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make it a required
argument.

https://fedorahosted.org/freeipa/ticket/4779
---
 ipaserver/install/certs.py      | 6 ++----
 ipaserver/install/dsinstance.py | 2 +-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..7292cbbe3574f57d32daa6f1e310669486fa5eff 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -238,7 +238,7 @@ class CertDB(object):
                          "-k", self.passwd_fname])
             self.set_perms(self.pk12_fname)
 
-    def load_cacert(self, cacert_fname, trust_flags='C,,'):
+    def load_cacert(self, cacert_fname, trust_flags):
         """
         Load all the certificates from a given file. It is assumed that
         this file creates CA certificates.
@@ -255,11 +255,9 @@ class CertDB(object):
                 (rdn, subject_dn) = get_cert_nickname(cert)
                 if subject_dn == ca_dn:
                     nick = get_ca_nickname(self.realm)
-                    tf = trust_flags
                 else:
                     nick = str(subject_dn)
-                    tf = ',,'
-                self.nssdb.add_cert(cert, nick, tf, pem=True)
+                self.nssdb.add_cert(cert, nick, trust_flags, pem=True)
             except RuntimeError:
                 break
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 06c13c21dd3a5ea1e15c0a797a48fd6af02c1bdf..66267f4cdde548266b15594e3640bf8247c64859 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -840,7 +840,7 @@ class DsInstance(service.Service):
         certdb.cacert_name = cacert_name
         status = True
         try:
-            certdb.load_cacert(cacert_fname)
+            certdb.load_cacert(cacert_fname, 'C,,')
         except ipautil.CalledProcessError, e:
             root_logger.critical("Error importing CA cert file named [%s]: %s" %
                                          (cacert_fname, str(e)))
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to