From 5223c875b830dc1fc6dc9d9e622ded326a9eeacb Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 25 Mar 2016 03:33:05 +0100
Subject: Fixed certificate chain import problem.

In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.

The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.

https://fedorahosted.org/pki/ticket/2022
---
 .../server/deployment/scriptlets/configuration.py  | 24 ++++++++++++----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 79b66757a..f93a24723 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -157,18 +157,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
 
-                # If specified, import external CA cert into NSS database.
-                external_ca_cert_chain_nickname = \
-                    deployer.mdict['pki_external_ca_cert_chain_nickname']
-                external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path']
-                if external_ca_cert_chain_file:
-                    cert_chain, _nicks = nssdb.import_cert_chain(
-                        nickname=external_ca_cert_chain_nickname,
-                        cert_chain_file=external_ca_cert_chain_file,
-                        trust_attributes='CT,C,C')
-                    subsystem.config['ca.external_ca_chain.cert'] = cert_chain
-
                 # If specified, import externally-signed CA cert into NSS database.
+                # Note: CA cert must be imported before the cert chain to ensure that
+                # the CA cert is imported with the correct nickname.
                 signing_nickname = deployer.mdict['pki_ca_signing_nickname']
                 signing_cert_file = deployer.mdict['pki_external_ca_cert_path']
                 if signing_cert_file:
@@ -183,6 +174,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     pkcs12_password = deployer.mdict['pki_external_pkcs12_password']
                     nssdb.import_pkcs12(pkcs12_file, pkcs12_password)
 
+                # If specified, import cert chain into NSS database.
+                external_ca_cert_chain_nickname = \
+                    deployer.mdict['pki_external_ca_cert_chain_nickname']
+                external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path']
+                if external_ca_cert_chain_file:
+                    cert_chain, _nicks = nssdb.import_cert_chain(
+                        nickname=external_ca_cert_chain_nickname,
+                        cert_chain_file=external_ca_cert_chain_file,
+                        trust_attributes='CT,C,C')
+                    subsystem.config['ca.external_ca_chain.cert'] = cert_chain
+
                 # Export CA cert from NSS database and import it into CS.cfg.
                 signing_cert_data = nssdb.get_cert(
                     nickname=signing_nickname,
-- 
cgit