summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-06-03 09:14:21 +0200
committerPetr Viktorin <pviktori@redhat.com>2013-06-12 12:59:54 +0200
commit1e772b18451d64e1ece8577abd15afe532432199 (patch)
treefc7360cfd2e40b0bcb04463e05b9c06efe38b802
parent6b556235266a71eb3f03acaab869a1757534274a (diff)
downloadfreeipa-1e772b18451d64e1ece8577abd15afe532432199.zip
freeipa-1e772b18451d64e1ece8577abd15afe532432199.tar.gz
freeipa-1e772b18451d64e1ece8577abd15afe532432199.tar.xz
Handle exceptions gracefully when verifying PKCS#12 files.
https://fedorahosted.org/freeipa/ticket/3667
-rw-r--r--ipaserver/install/certs.py8
-rw-r--r--ipaserver/install/installutils.py5
2 files changed, 11 insertions, 2 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index b170c7c..643cbda 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -29,6 +29,7 @@ import base64
from hashlib import sha1
from nss import nss
+from nss.error import NSPRError
from ipapython.ipa_log_manager import root_logger
from ipapython import dogtag
@@ -286,7 +287,12 @@ class NSSDatabase(object):
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
intended_usage = nss.certificateUsageSSLServer
- approved_usage = cert.verify_now(certdb, True, intended_usage)
+ try:
+ approved_usage = cert.verify_now(certdb, True, intended_usage)
+ except NSPRError, e:
+ if e.errno != -8102:
+ raise ValueError(e.strerror)
+ approved_usage = 0
if not approved_usage & intended_usage:
raise ValueError('invalid for a SSL server')
if not cert.verify_hostname(hostname):
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index a568eae..830a78a 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -720,7 +720,10 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
# Import the CA cert first so it has a known nickname
# (if it's present in the PKCS#12 it won't be overwritten)
ca_cert_name = 'The Root CA'
- nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file)
+ try:
+ nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file)
+ except ValueError, e:
+ raise ScriptError(str(e))
# Import everything in the PKCS#12
nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pin_filename)