From 1e772b18451d64e1ece8577abd15afe532432199 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 3 Jun 2013 09:14:21 +0200 Subject: Handle exceptions gracefully when verifying PKCS#12 files. https://fedorahosted.org/freeipa/ticket/3667 --- ipaserver/install/certs.py | 8 +++++++- ipaserver/install/installutils.py | 5 ++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index b170c7cbf..643cbda30 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -29,6 +29,7 @@ import base64 from hashlib import sha1 from nss import nss +from nss.error import NSPRError from ipapython.ipa_log_manager import root_logger from ipapython import dogtag @@ -286,7 +287,12 @@ class NSSDatabase(object): certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer - approved_usage = cert.verify_now(certdb, True, intended_usage) + try: + approved_usage = cert.verify_now(certdb, True, intended_usage) + except NSPRError, e: + if e.errno != -8102: + raise ValueError(e.strerror) + approved_usage = 0 if not approved_usage & intended_usage: raise ValueError('invalid for a SSL server') if not cert.verify_hostname(hostname): diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a568eae7c..830a78a8b 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -720,7 +720,10 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): # Import the CA cert first so it has a known nickname # (if it's present in the PKCS#12 it won't be overwritten) ca_cert_name = 'The Root CA' - nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file) + try: + nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file) + except ValueError, e: + raise ScriptError(str(e)) # Import everything in the PKCS#12 nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pin_filename) -- cgit