URL: https://github.com/freeipa/freeipa/pull/1094 Author: stlaz Title: #1094: [Backport][ipa-4-6] Don't write p11-kit EKU extension object if no EKU Action: opened
PR body: """ This PR was opened automatically because PR #1090 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1094/head:pr1094 git checkout pr1094
From d0a93d4b61d770bfcfe4f37d808d643928e5d11c Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 18 Sep 2017 16:28:10 +0200 Subject: [PATCH] Don't write p11-kit EKU extension object if no EKU b5732efd introduced a regression because it tries to write EKU that's actually in the CA cert instead of using the LDAP information. However, when no EKU is available, IPACertificate.extended_key_usage_bytes still returned at least EKU_PLACEHOLDER OID to keep the behavior the same as in previous versions. This caused the EKU_PLACEHOLDER to be written in the ipa.p11-kit file which made Firefox report FreeIPA Web UI as improperly configured. https://pagure.io/freeipa/issue/7119 --- ipalib/x509.py | 5 ++++- ipaplatform/redhat/tasks.py | 5 +++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index 857245aa31..0b3a423ce3 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -295,8 +295,11 @@ def extended_key_usage(self): @property def extended_key_usage_bytes(self): + eku = self.extended_key_usage + if eku is None: + return + ekurfc = rfc2459.ExtKeyUsageSyntax() - eku = self.extended_key_usage or {EKU_PLACEHOLDER} for i, oid in enumerate(eku): ekurfc[i] = univ.ObjectIdentifier(oid) ekurfc = encoder.encode(ekurfc) diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 99f04353c3..e3bb1271e6 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -257,7 +257,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): "\n") has_eku = set() - for cert, nickname, trusted, ext_key_usage in ca_certs: + for cert, nickname, trusted, _ext_key_usage in ca_certs: try: subject = cert.subject_bytes issuer = cert.issuer_bytes @@ -296,7 +296,8 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): pem=cert.public_bytes(x509.Encoding.PEM).decode('ascii')) f.write(obj) - if ext_key_usage is not None and public_key_info not in has_eku: + if (cert.extended_key_usage is not None and + public_key_info not in has_eku): try: ext_key_usage = cert.extended_key_usage_bytes except PyAsn1Error as e:
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org