diff options
| author | Christian Heimes <cheimes@redhat.com> | 2018-11-13 12:21:21 +0100 |
|---|---|---|
| committer | Christian Heimes <cheimes@redhat.com> | 2018-11-14 07:57:13 +0100 |
| commit | 13917ddc55ee0d40130cfb37173dd368642d46a9 (patch) | |
| tree | 3a68739fc0e6c7341e4fb2fed49dbb06e1e1855c | |
| parent | ee52ceb98cdc8746e8b0a9b834afad536b282d85 (diff) | |
| download | freeipa-13917ddc55ee0d40130cfb37173dd368642d46a9.tar.gz freeipa-13917ddc55ee0d40130cfb37173dd368642d46a9.tar.xz freeipa-13917ddc55ee0d40130cfb37173dd368642d46a9.zip | |
certdb: validate server cert signature
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
cert validation. Let's also verify signature, key size, and signing algorithm
of server certs. With the '-e' option, the installer and other
tools will catch weak certs early.
Fixes: pagure.io/freeipa/issue/7761
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
| -rw-r--r-- | ipapython/certdb.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py index b84d7d3b7..12e21f286 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -896,8 +896,15 @@ class NSSDatabase: cert = self.get_cert(nickname) try: - self.run_certutil(['-V', '-n', nickname, '-u', 'V'], - capture_output=True) + self.run_certutil( + [ + '-V', # check validity of cert and attrs + '-n', nickname, + '-u', 'V', # usage; 'V' means "SSL server" + '-e', # check signature(s); this checks + # key sizes, sig algorithm, etc. + ], + capture_output=True) except ipautil.CalledProcessError as e: # certutil output in case of error is # 'certutil: certificate is invalid: <ERROR_STRING>\n' |