diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-04-26 16:45:19 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-06-16 19:27:17 -0400 |
commit | a2a3782efb386f18689faf35a069c4da1085e87d (patch) | |
tree | b8c4b2bf7c13307eccf3be5f962a680ae97e122b /ipalib/plugins/host.py | |
parent | ed7a3e005a052845b7302744c0f6c16f7cdfd511 (diff) | |
download | freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.tar.gz freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.tar.xz freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.zip |
Require an imported certificate's issuer to match our issuer.
The goal is to not import foreign certificates.
This caused a bunch of tests to fail because we had a hardcoded server
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test against.
ticket 1134
Diffstat (limited to 'ipalib/plugins/host.py')
-rw-r--r-- | ipalib/plugins/host.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 29f659f9c..5d6a23f42 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -85,6 +85,7 @@ from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs from ipalib.plugins.service import make_pem, check_writable_file from ipalib.plugins.service import write_certificate +from ipalib.plugins.service import verify_cert_subject from ipalib.plugins.dns import dns_container_exists, _record_types from ipalib.plugins.dns import add_forward_record from ipalib import _, ngettext @@ -400,6 +401,11 @@ class host_add(LDAPCreate): # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) del entry_attrs['random'] + cert = options.get('usercertificate') + if cert: + cert = normalize_certificate(cert) + verify_cert_subject(ldap, keys[-1], cert) + entry_attrs['usercertificate'] = cert entry_attrs['managedby'] = dn return dn @@ -600,6 +606,7 @@ class host_mod(LDAPUpdate): entry_attrs['objectclass'] = obj_classes cert = normalize_certificate(entry_attrs.get('usercertificate')) if cert: + verify_cert_subject(ldap, keys[-1], cert) (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) if 'usercertificate' in entry_attrs_old: oldcert = normalize_certificate(entry_attrs_old.get('usercertificate')[0]) |