From b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 1 Aug 2016 22:35:32 +0200
Subject: Fixed PKCS #12 import for cloning.

To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).

The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.

The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.

https://fedorahosted.org/pki/ticket/2424
---
 .../pki/server/deployment/scriptlets/security_databases.py  | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 99daf1564..e80a1d0f4 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -150,8 +150,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # Import certificates
                 nssdb.import_pkcs12(
                     pkcs12_file=pki_clone_pkcs12_path,
-                    pkcs12_password=pki_clone_pkcs12_password,
-                    no_user_certs=True)
+                    pkcs12_password=pki_clone_pkcs12_password)
+
+                # Set certificate trust flags
+                if subsystem.type == 'CA':
+                    nssdb.modify_cert(
+                        nickname=deployer.mdict['pki_ca_signing_nickname'],
+                        trust_attributes='CTu,Cu,Cu')
+
+                nssdb.modify_cert(
+                    nickname=deployer.mdict['pki_audit_signing_nickname'],
+                    trust_attributes='u,u,Pu')
 
                 print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
 
-- 
cgit