URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: opened
PR body: """ In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733
From 3490705b960a601ef76efcae7af9b7bd0d32e237 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 26 Apr 2017 08:19:27 +0200 Subject: [PATCH] Fix CA/server cert validation in FIPS In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 --- ipapython/certdb.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index f1410e5..16e2514 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -77,6 +77,12 @@ def find_cert_from_txt(cert, start=0): return (cert, e) +def get_file_cont(slot, token, filename): + with open(filename) as f: + cont = f.read() + return cont + + class NSSDatabase(object): """A general-purpose wrapper around a NSS cert database @@ -547,12 +553,14 @@ def verify_server_cert_validity(self, nickname, hostname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) + nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer try: - approved_usage = cert.verify_now(certdb, True, intended_usage) + approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: raise ValueError(e.strerror) @@ -572,6 +580,7 @@ def verify_ca_cert_validity(self, nickname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) + nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) @@ -586,7 +595,8 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") intended_usage = nss.certificateUsageSSLCA try: - approved_usage = cert.verify_now(certdb, True, intended_usage) + approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE raise ValueError(e.strerror)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code