Fix CA cert validity check for CA-less and external CA installer options

https://fedorahosted.org/freeipa/ticket/4612 Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-10-07 18:16:53 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-10-16 18:09:49 +0200
commit: fdc70e89e9fa83b45ef403eda401c0c85f205480 (patch)
tree: 5ccb98c8b016c888a2fcb545e5cc3d8792727f36 /ipapython
parent: 284792e7d8e06dd6dba24da4362aab56bbaaaef4 (diff)
download: freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.tar.gz
freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.tar.xz
freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4645b406e..5a6e494fb 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -494,7 +494,12 @@ class NSSDatabase(object):
             cert = nss.find_cert_from_nickname(nickname)
             if not cert.subject:
                 raise ValueError("has empty subject")
-            if not cert.is_ca_cert():
+            try:
+                bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
+            except KeyError:
+                raise ValueError("missing basic constraints")
+            bc = nss.BasicConstraints(bc.value)
+            if not bc.is_ca:
                 raise ValueError("not a CA certificate")
             intended_usage = nss.certificateUsageSSLCA
             try:
author	Jan Cholasta <jcholast@redhat.com>	2014-10-07 18:16:53 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-10-16 18:09:49 +0200
commit	fdc70e89e9fa83b45ef403eda401c0c85f205480 (patch)
tree	5ccb98c8b016c888a2fcb545e5cc3d8792727f36 /ipapython
parent	284792e7d8e06dd6dba24da4362aab56bbaaaef4 (diff)
download	freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.tar.gz freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.tar.xz freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.zip