summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-06-18 08:57:12 +0000
committerAlexander Bokovoy <abokovoy@redhat.com>2013-07-11 12:39:25 +0300
commitab96ca7831ad8ab2ee2389093ea8b9327d94d6f0 (patch)
tree2b0ac65d5c70b55d061b427804667cf66dd7e326
parentec75348354a01fd332e047085942fb4a4476b184 (diff)
downloadfreeipa-ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0.zip
freeipa-ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0.tar.gz
freeipa-ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0.tar.xz
Check trust chain length in CA-less install.
https://fedorahosted.org/freeipa/ticket/3707
-rw-r--r--ipaserver/install/installutils.py11
1 files changed, 9 insertions, 2 deletions
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 278240f..a716525 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -739,13 +739,20 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
[(server_cert_name, server_cert_trust)] = server_certs
# Check we have the whole cert chain & the CA is in it
- for cert_name in nssdb.get_trust_chain(server_cert_name):
- if cert_name == ca_cert_name:
+ trust_chain = nssdb.get_trust_chain(server_cert_name)
+ while trust_chain:
+ if trust_chain[0] == ca_cert_name:
break
+ trust_chain = trust_chain[1:]
else:
raise ScriptError(
'%s is not signed by %s, or the full certificate chain is not '
'present in the PKCS#12 file' % (pkcs12_filename, ca_file))
+ if len(trust_chain) != 2:
+ raise ScriptError(
+ 'trust chain of the server certificate in %s contains %s '
+ 'certificates, expected 2' %
+ (pkcs12_filename, len(trust_chain)))
# Check server validity
try: