diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-07-11 17:39:30 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-07-17 22:14:24 -0400 |
| commit | 2f650b60a4ce9c9b19a64b21ebe3051668efb4af (patch) | |
| tree | d6280d7277eae4ab726a4c1a201130f9ea4f3a4d /ipaserver/install/certs.py | |
| parent | 038089a0c9160221d17796b8d6fd6e4f1fb67850 (diff) | |
| download | freeipa-2f650b60a4ce9c9b19a64b21ebe3051668efb4af.tar.gz freeipa-2f650b60a4ce9c9b19a64b21ebe3051668efb4af.tar.xz freeipa-2f650b60a4ce9c9b19a64b21ebe3051668efb4af.zip | |
Use information from the certificate subject when setting the NSS nickname.
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.
We can instead pull the subject from the certificate and use that as
the nickname.
https://fedorahosted.org/freeipa/ticket/1141
Diffstat (limited to 'ipaserver/install/certs.py')
| -rw-r--r-- | ipaserver/install/certs.py | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index ebe654dd3..522d3f576 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -38,6 +38,7 @@ from ipalib import pkcs10 from ConfigParser import RawConfigParser, MissingSectionHeaderError import service from ipalib import x509 +from ipalib.dn import DN from ipalib.errors import CertificateOperationError from nss.error import NSPRError @@ -82,6 +83,20 @@ def find_cert_from_txt(cert, start=0): cert = cert[s:e] return (cert, e) +def get_cert_nickname(cert): + """ + Using the subject from cert come up with a nickname suitable + for NSS. The caller can decide whether to use just the RDN + or the whole subject. + + Returns a tuple of (rdn, subject) + """ + nsscert = x509.load_certificate(cert) + subject = str(nsscert.subject) + dn = DN(subject) + + return (str(dn[0]), str(dn)) + def next_serial(serial_file=CA_SERIALNO): """ Get the next serial number if we're using an NSS-based self-signed CA. @@ -415,16 +430,16 @@ class CertDB(object): certs = fd.read() fd.close() + normalized_base = str(DN(self.subject_base)) st = 0 - subid=0 while True: try: (cert, st) = find_cert_from_txt(certs, st) - if subid == 0: - nick = self.cacert_name + (nick, subject) = get_cert_nickname(cert) + if subject.lower() == ('CN=Certificate Authority,%s' % normalized_base).lower(): + nick = get_ca_nickname(self.realm) else: - nick = "%s sub %d" % (self.cacert_name, subid) - subid = subid + 1 + nick = subject self.run_certutil(["-A", "-n", nick, "-t", "CT,,C", "-a"], |