diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-08-05 09:06:39 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> | 2014-09-05 13:59:04 +0200 |
| commit | 6ad8c464a43260f8f58dc262f841c35be35b57b5 (patch) | |
| tree | d596fb119f94b21a2c01c839a0659b74a4aacf6f /ipaserver/install/installutils.py | |
| parent | 418ce870bfbe13cea694a7b862cafe35c703f660 (diff) | |
| download | freeipa-6ad8c464a43260f8f58dc262f841c35be35b57b5.tar.gz freeipa-6ad8c464a43260f8f58dc262f841c35be35b57b5.tar.xz freeipa-6ad8c464a43260f8f58dc262f841c35be35b57b5.zip | |
Make CA-less ipa-server-install option --root-ca-file optional.
The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.
Document --root-ca-file in ipa-server-install man page.
https://fedorahosted.org/freeipa/ticket/4457
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaserver/install/installutils.py')
| -rw-r--r-- | ipaserver/install/installutils.py | 46 |
1 files changed, 25 insertions, 21 deletions
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 3b9138fef..e4cf5040f 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -800,8 +800,6 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): This is used for files given to --*_pkcs12 to ipa-server-install and ipa-replica-prepare. - - Return a (server cert name, CA cert names) tuple """ pkcs12_filename, pkcs12_passwd = pkcs12_info root_logger.debug('Checking PKCS#12 certificate %s', pkcs12_filename) @@ -812,13 +810,18 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): # Import the CA cert first so it has a known nickname # (if it's present in the PKCS#12 it won't be overwritten) ca_cert_name = 'The Root CA' - try: - nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file) - except (ValueError, RuntimeError) as e: - raise ScriptError(str(e)) + if ca_file: + try: + nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file) + except (ValueError, RuntimeError) as e: + raise ScriptError(str(e)) # Import everything in the PKCS#12 - nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pkcs12_passwd) + try: + nssdb.import_pkcs12( + pkcs12_filename, db_pwd_file.name, pkcs12_passwd) + except RuntimeError as e: + raise ScriptError(str(e)) # Check we have exactly one server cert (one with a private key) server_certs = nssdb.find_server_certs() @@ -833,21 +836,23 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): # Check we have the whole cert chain & the CA is in it trust_chain = nssdb.get_trust_chain(server_cert_name) - while trust_chain: - if trust_chain[0] == ca_cert_name: - break - trust_chain = trust_chain[1:] - else: - raise ScriptError( - '%s is not signed by %s, or the full certificate chain is not ' - 'present in the PKCS#12 file' % (pkcs12_filename, ca_file)) - if len(trust_chain) != 2: + if len(trust_chain) < 2: + if ca_file: + raise ScriptError( + '%s is not signed by %s, or the full certificate chain is ' + 'not present in the PKCS#12 file' % + (pkcs12_filename, ca_file)) + else: + raise ScriptError( + 'The full certificate chain is not present in %s' % + pkcs12_filename) + if ca_file and trust_chain[-2] != ca_cert_name: raise ScriptError( - 'trust chain of the server certificate in %s contains %s ' - 'certificates, expected 2' % - (pkcs12_filename, len(trust_chain))) + '%s is not signed by %s' % (pkcs12_filename, ca_file)) + ca_cert_name = trust_chain[-2] # Check server validity + nssdb.trust_root_cert(ca_cert_name) try: nssdb.verify_server_cert_validity(server_cert_name, hostname) except ValueError as e: @@ -855,8 +860,7 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): 'The server certificate in %s is not valid: %s' % (pkcs12_filename, e)) - return server_cert_name - + return nssdb.get_cert(ca_cert_name) @contextmanager def private_ccache(path=None): |