diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-03-13 10:27:54 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | 031b2819217b540b35ce6fb1dc4a7d73db29d5da (patch) | |
tree | f458c30da3319f745c25c7b5456833d6c014bd34 /ipaserver | |
parent | 2c43a3d0d564b2cfc910d80c42d2ac3c55c9aeb3 (diff) | |
download | freeipa-031b2819217b540b35ce6fb1dc4a7d73db29d5da.tar.gz freeipa-031b2819217b540b35ce6fb1dc4a7d73db29d5da.tar.xz freeipa-031b2819217b540b35ce6fb1dc4a7d73db29d5da.zip |
Add method for verifying CA certificates to NSSDatabase.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/certs.py | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 6e01efb9c..90d04a3fb 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -256,6 +256,8 @@ class NSSDatabase(object): Raises a ValueError if the certificate is invalid. """ certdb = cert = None + if nss.nss_is_initialized(): + nss.nss_shutdown() nss.nss_init(self.secdir) try: certdb = nss.get_default_certdb() @@ -277,6 +279,27 @@ class NSSDatabase(object): return None + def verify_ca_cert_validity(self, nickname): + certdb = cert = None + if nss.nss_is_initialized(): + nss.nss_shutdown() + nss.nss_init(self.secdir) + try: + certdb = nss.get_default_certdb() + cert = nss.find_cert_from_nickname(nickname) + intended_usage = nss.certificateUsageSSLCA + try: + approved_usage = cert.verify_now(certdb, True, intended_usage) + except NSPRError, e: + if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE + raise ValueError(e.strerror) + approved_usage = 0 + if approved_usage & intended_usage != intended_usage: + raise ValueError('invalid for a CA') + finally: + del certdb, cert + nss.nss_shutdown() + class CertDB(object): """An IPA-server-specific wrapper around NSS |