subject:"\[Freeipa\-devel\] \[PATCH\] 140 Check trust chain length in CA\-less install"

Re: [Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install

2013-07-11 Thread Alexander Bokovoy


On Wed, 10 Jul 2013, Rob Crittenden wrote:

Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza


This patch seems to work ok but I've been unable to test it with an 
external CA installation because that seems to be broken (unrelated 
to this patch).


I filed https://fedorahosted.org/freeipa/ticket/3773

Commited to master, ipa-3-2:

master: ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0
ipa-3-2: e1f481c891b67c79b7d7cc1e9a3ac636826c90cb

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install

2013-07-10 Thread Rob Crittenden


Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza


This patch seems to work ok but I've been unable to test it with an 
external CA installation because that seems to be broken (unrelated to 
this patch).


I filed https://fedorahosted.org/freeipa/ticket/3773

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install

2013-06-18 Thread Jan Cholasta


Hi,

the attached patch fixes .

Honza

--
Jan Cholasta
>From bc3ecb7548c76c2ee181f090a851fa15e12dcbec Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 18 Jun 2013 08:57:12 +
Subject: [PATCH] Check trust chain length in CA-less install.

https://fedorahosted.org/freeipa/ticket/3707
---
 ipaserver/install/installutils.py | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 830a78a..977ccb1 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -740,13 +740,20 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
 [(server_cert_name, server_cert_trust)] = server_certs
 
 # Check we have the whole cert chain & the CA is in it
-for cert_name in nssdb.get_trust_chain(server_cert_name):
-if cert_name == ca_cert_name:
+trust_chain = nssdb.get_trust_chain(server_cert_name)
+while trust_chain:
+if trust_chain[0] == ca_cert_name:
 break
+trust_chain = trust_chain[1:]
 else:
 raise ScriptError(
 '%s is not signed by %s, or the full certificate chain is not '
 'present in the PKCS#12 file' % (pkcs12_filename, ca_file))
+if len(trust_chain) != 2:
+raise ScriptError(
+'trust chain of the server certificate in %s contains %s '
+'certificates, expected 2' %
+(pkcs12_filename, len(trust_chain)))
 
 # Check server validity
 try:
-- 
1.8.2.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install

Re: [Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install

[Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install

3 matches

Site Navigation

Mail list logo

Footer information