From ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 18 Jun 2013 08:57:12 +0000
Subject: Check trust chain length in CA-less install.

https://fedorahosted.org/freeipa/ticket/3707
---
 ipaserver/install/installutils.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 278240f1e..a716525b3 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -739,13 +739,20 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
         [(server_cert_name, server_cert_trust)] = server_certs
 
         # Check we have the whole cert chain & the CA is in it
-        for cert_name in nssdb.get_trust_chain(server_cert_name):
-            if cert_name == ca_cert_name:
+        trust_chain = nssdb.get_trust_chain(server_cert_name)
+        while trust_chain:
+            if trust_chain[0] == ca_cert_name:
                 break
+            trust_chain = trust_chain[1:]
         else:
             raise ScriptError(
                 '%s is not signed by %s, or the full certificate chain is not '
                 'present in the PKCS#12 file' % (pkcs12_filename, ca_file))
+        if len(trust_chain) != 2:
+            raise ScriptError(
+                'trust chain of the server certificate in %s contains %s '
+                'certificates, expected 2' %
+                (pkcs12_filename, len(trust_chain)))
 
         # Check server validity
         try:
-- 
cgit