diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-10-07 18:16:53 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-16 18:09:49 +0200 |
commit | fdc70e89e9fa83b45ef403eda401c0c85f205480 (patch) | |
tree | 5ccb98c8b016c888a2fcb545e5cc3d8792727f36 /ipapython | |
parent | 284792e7d8e06dd6dba24da4362aab56bbaaaef4 (diff) | |
download | freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.tar.gz freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.tar.xz freeipa-fdc70e89e9fa83b45ef403eda401c0c85f205480.zip |
Fix CA cert validity check for CA-less and external CA installer options
https://fedorahosted.org/freeipa/ticket/4612
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipapython')
-rw-r--r-- | ipapython/certdb.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4645b406e..5a6e494fb 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -494,7 +494,12 @@ class NSSDatabase(object): cert = nss.find_cert_from_nickname(nickname) if not cert.subject: raise ValueError("has empty subject") - if not cert.is_ca_cert(): + try: + bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS) + except KeyError: + raise ValueError("missing basic constraints") + bc = nss.BasicConstraints(bc.value) + if not bc.is_ca: raise ValueError("not a CA certificate") intended_usage = nss.certificateUsageSSLCA try: |