diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-06-03 09:14:21 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2013-06-12 12:59:54 +0200 |
commit | 1e772b18451d64e1ece8577abd15afe532432199 (patch) | |
tree | fc7360cfd2e40b0bcb04463e05b9c06efe38b802 /ipaserver | |
parent | 6b556235266a71eb3f03acaab869a1757534274a (diff) | |
download | freeipa-1e772b18451d64e1ece8577abd15afe532432199.tar.gz freeipa-1e772b18451d64e1ece8577abd15afe532432199.tar.xz freeipa-1e772b18451d64e1ece8577abd15afe532432199.zip |
Handle exceptions gracefully when verifying PKCS#12 files.
https://fedorahosted.org/freeipa/ticket/3667
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/certs.py | 8 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 5 |
2 files changed, 11 insertions, 2 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index b170c7cbf..643cbda30 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -29,6 +29,7 @@ import base64 from hashlib import sha1 from nss import nss +from nss.error import NSPRError from ipapython.ipa_log_manager import root_logger from ipapython import dogtag @@ -286,7 +287,12 @@ class NSSDatabase(object): certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer - approved_usage = cert.verify_now(certdb, True, intended_usage) + try: + approved_usage = cert.verify_now(certdb, True, intended_usage) + except NSPRError, e: + if e.errno != -8102: + raise ValueError(e.strerror) + approved_usage = 0 if not approved_usage & intended_usage: raise ValueError('invalid for a SSL server') if not cert.verify_hostname(hostname): diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a568eae7c..830a78a8b 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -720,7 +720,10 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): # Import the CA cert first so it has a known nickname # (if it's present in the PKCS#12 it won't be overwritten) ca_cert_name = 'The Root CA' - nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file) + try: + nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file) + except ValueError, e: + raise ScriptError(str(e)) # Import everything in the PKCS#12 nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pin_filename) |