diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-03-25 03:33:05 +0100 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-02 08:17:41 +0200 |
| commit | ee61c5561be94d3a24ad05643dca8338c47b3b84 (patch) | |
| tree | 1ebf3efb5fa126b27a890744bf57736117cb9623 | |
| parent | 9eba5f33f04348ee4b243d3fc0d095268f824115 (diff) | |
| download | pki-ee61c5561be94d3a24ad05643dca8338c47b3b84.tar.gz pki-ee61c5561be94d3a24ad05643dca8338c47b3b84.tar.xz pki-ee61c5561be94d3a24ad05643dca8338c47b3b84.zip | |
Fixed certificate chain import problem.
In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.
The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.
https://fedorahosted.org/pki/ticket/2022
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index fc6877d36..a467df7a6 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -158,17 +158,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr - # If specified, import external CA cert into NSS database. - external_ca_cert_chain_nickname = deployer.mdict['pki_external_ca_cert_chain_nickname'] - external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] - if external_ca_cert_chain_file: - cert_chain, _nicks = nssdb.import_cert_chain( - nickname=external_ca_cert_chain_nickname, - cert_chain_file=external_ca_cert_chain_file, - trust_attributes='CT,C,C') - subsystem.config['ca.external_ca_chain.cert'] = cert_chain - # If specified, import externally-signed CA cert into NSS database. + # Note: CA cert must be imported before the cert chain to ensure that + # the CA cert is imported with the correct nickname. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: @@ -183,6 +175,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) + # If specified, import cert chain into NSS database. + external_ca_cert_chain_nickname = \ + deployer.mdict['pki_external_ca_cert_chain_nickname'] + external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] + if external_ca_cert_chain_file: + cert_chain, _nicks = nssdb.import_cert_chain( + nickname=external_ca_cert_chain_nickname, + cert_chain_file=external_ca_cert_chain_file, + trust_attributes='CT,C,C') + subsystem.config['ca.external_ca_chain.cert'] = cert_chain + # Export CA cert from NSS database and import it into CS.cfg. signing_cert_data = nssdb.get_cert( nickname=signing_nickname, |