diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2017-09-18 16:28:10 +0200 |
---|---|---|
committer | Stanislav Laznicka <slaznick@redhat.com> | 2017-09-19 09:42:07 +0200 |
commit | e537686bcc8248bc0216ce634ae7707fa65e70ba (patch) | |
tree | a7c4913022420d12786367c0c9b0bedfbab5f33b /ipalib | |
parent | 87540fe1ef8a191e521ddf1584b4cbebb7dece94 (diff) | |
download | freeipa-e537686bcc8248bc0216ce634ae7707fa65e70ba.tar.gz freeipa-e537686bcc8248bc0216ce634ae7707fa65e70ba.tar.xz freeipa-e537686bcc8248bc0216ce634ae7707fa65e70ba.zip |
Don't write p11-kit EKU extension object if no EKU
b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.
https://pagure.io/freeipa/issue/7119
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/x509.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index 857245aa3..0b3a423ce 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -295,8 +295,11 @@ class IPACertificate(object): @property def extended_key_usage_bytes(self): + eku = self.extended_key_usage + if eku is None: + return + ekurfc = rfc2459.ExtKeyUsageSyntax() - eku = self.extended_key_usage or {EKU_PLACEHOLDER} for i, oid in enumerate(eku): ekurfc[i] = univ.ObjectIdentifier(oid) ekurfc = encoder.encode(ekurfc) |