URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733
From 906c2010d594cc7a0e74f7ef80f41ed00581979f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 26 Apr 2017 08:19:27 +0200 Subject: [PATCH] Fix CA/server cert validation in FIPS In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 --- ipapython/certdb.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 0665f94..ea73ec1 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0): return (cert, e) +def get_file_cont(slot, token, filename): + with open(filename) as f: + return f.read() + + class NSSDatabase(object): """A general-purpose wrapper around a NSS cert database @@ -547,12 +552,14 @@ def verify_server_cert_validity(self, nickname, hostname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) + nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer try: - approved_usage = cert.verify_now(certdb, True, intended_usage) + approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: raise ValueError(e.strerror) @@ -572,6 +579,7 @@ def verify_ca_cert_validity(self, nickname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) + nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) @@ -586,7 +594,8 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") intended_usage = nss.certificateUsageSSLCA try: - approved_usage = cert.verify_now(certdb, True, intended_usage) + approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE raise ValueError(e.strerror)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code