Do stricter validation of CA certificates

Every CA certificate must have non-empty subject and basic constraints extension with the CA flag set. https://fedorahosted.org/freeipa/ticket/4477 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-09-29 16:22:30 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-09-30 08:50:47 +0200
commit: 83cbfa8eaee6b2b84eb9fe9e514a339780df81b5 (patch)
tree: 778cf688a4b3c4c7a9dc0d2084630825a75990e7
parent: 3cde7e9cfd7908b24082e3e50cdd0955726223d0 (diff)
download: freeipa-83cbfa8eaee6b2b84eb9fe9e514a339780df81b5.tar.gz
freeipa-83cbfa8eaee6b2b84eb9fe9e514a339780df81b5.tar.xz
freeipa-83cbfa8eaee6b2b84eb9fe9e514a339780df81b5.zip
2 files changed, 15 insertions, 4 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 82d8290a8..55feb6596 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -490,6 +490,10 @@ class NSSDatabase(object):
         try:
             certdb = nss.get_default_certdb()
             cert = nss.find_cert_from_nickname(nickname)
+            if not cert.subject:
+                raise ValueError("has empty subject")
+            if not cert.is_ca_cert():
+                raise ValueError("not a CA certificate")
             intended_usage = nss.certificateUsageSSLCA
             try:
                 approved_usage = cert.verify_now(certdb, True, intended_usage)
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 6a7fd0517..1acc62340 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -215,8 +215,6 @@ class CACertManage(admintool.AdminTool):
             #pylint: enable=E1101
 
             nss_cert = x509.load_certificate_from_file(cert_file.name)
-            if not nss_cert.is_ca_cert():
-                raise admintool.ScriptError("Not a CA certificate")
             if nss_cert.subject != subject:
                 raise admintool.ScriptError("Subject name mismatch")
             #pylint: disable=E1101
@@ -319,8 +317,6 @@ class CACertManage(admintool.AdminTool):
                     "Can't open \"%s\": %s" % (cert_filename, e))
             except (TypeError, NSPRError), e:
                 raise admintool.ScriptError("Not a valid certificate: %s" % e)
-            if not nss_cert.is_ca_cert():
-                raise admintool.ScriptError("Not a CA certificate")
             subject = nss_cert.subject
             cert = nss_cert.der_data
         finally:
@@ -328,6 +324,17 @@ class CACertManage(admintool.AdminTool):
 
         nickname = options.nickname or str(subject)
 
+        with certs.NSSDatabase() as tmpdb:
+            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
+            tmpdb.create_db(pw.name)
+            tmpdb.add_cert(cert, nickname, 'C,,')
+
+            try:
+                tmpdb.verify_ca_cert_validity(nickname)
+            except ValueError, e:
+                raise admintool.ScriptError(
+                    "Not a valid CA certificate: %s" % e)
+
         trust_flags = options.trust_flags
         if ((set(trust_flags) - set(',CPTcgpuw')) or
             len(trust_flags.split(',')) != 3):
author	Jan Cholasta <jcholast@redhat.com>	2014-09-29 16:22:30 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-09-30 08:50:47 +0200
commit	83cbfa8eaee6b2b84eb9fe9e514a339780df81b5 (patch)
tree	778cf688a4b3c4c7a9dc0d2084630825a75990e7
parent	3cde7e9cfd7908b24082e3e50cdd0955726223d0 (diff)
download	freeipa-83cbfa8eaee6b2b84eb9fe9e514a339780df81b5.tar.gz freeipa-83cbfa8eaee6b2b84eb9fe9e514a339780df81b5.tar.xz freeipa-83cbfa8eaee6b2b84eb9fe9e514a339780df81b5.zip