[Freeipa-devel] [freeipa PR#94][opened] [ipa-4-2] Keep NSS trust flags of existing certificates

Tue, 20 Sep 2016 00:48:06 -0700 

   URL: https://github.com/freeipa/freeipa/pull/94
Author: tomaskrizek
 Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates
Action: opened

PR body:
"""
Backup and restore trust flags of existing certificates during CA
installation. This prevents marking a previously trusted certificate
as untrusted, as was the case when CA-less was converted to CA-full
with external CA when using the same certificate.

https://fedorahosted.org/freeipa/ticket/5791
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/94/head:pr94
git checkout pr94

From d09d113f2fe73a86837a8006c234102fa7be05c9 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkri...@redhat.com>
Date: Tue, 13 Sep 2016 10:14:47 +0200
Subject: [PATCH] Keep NSS trust flags of existing certificates

Backup and restore trust flags of existing certificates during CA
installation. This prevents marking a previously trusted certificate
as untrusted, as was the case when CA-less was converted to CA-full
with external CA when using the same certificate.

https://fedorahosted.org/freeipa/ticket/5791
---
 ipaserver/install/cainstance.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index adbe968..7c8016a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1015,6 +1015,10 @@ def __create_ca_agent_pkcs12(self):
             os.remove(pwd_name)
 
     def __import_ca_chain(self):
+        # Backup NSS trust flags of all already existing certificates
+        certdb = certs.CertDB(self.realm)
+        cert_backup_list = certdb.list_certs()
+
         chain = self.__get_ca_chain()
 
         # If this chain contains multiple certs then certutil will only import
@@ -1064,6 +1068,10 @@ def __import_ca_chain(self):
                     os.remove(chain_name)
                     subid += 1
 
+        # Restore NSS trust flags of all previously existing certificates
+        for nick, trust_flags in cert_backup_list:
+            certdb.trust_root_cert(nick, trust_flags)
+
     def __request_ra_certificate(self):
         # Create a noise file for generating our private key
         noise = array.array('B', os.urandom(128))

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to