diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-06-18 08:57:12 +0000 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2013-07-11 12:41:58 +0300 |
commit | e1f481c891b67c79b7d7cc1e9a3ac636826c90cb (patch) | |
tree | 21de9567a411a1346d5e24e626371d2bcfc893f0 | |
parent | 2628a593d2b15f442c51d6f17d91b81c933cf0e7 (diff) | |
download | freeipa.git-e1f481c891b67c79b7d7cc1e9a3ac636826c90cb.tar.gz freeipa.git-e1f481c891b67c79b7d7cc1e9a3ac636826c90cb.tar.xz freeipa.git-e1f481c891b67c79b7d7cc1e9a3ac636826c90cb.zip |
Check trust chain length in CA-less install.
https://fedorahosted.org/freeipa/ticket/3707
-rw-r--r-- | ipaserver/install/installutils.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index cf62f0f6..a8503c82 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -741,13 +741,20 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): [(server_cert_name, server_cert_trust)] = server_certs # Check we have the whole cert chain & the CA is in it - for cert_name in nssdb.get_trust_chain(server_cert_name): - if cert_name == ca_cert_name: + trust_chain = nssdb.get_trust_chain(server_cert_name) + while trust_chain: + if trust_chain[0] == ca_cert_name: break + trust_chain = trust_chain[1:] else: raise ScriptError( '%s is not signed by %s, or the full certificate chain is not ' 'present in the PKCS#12 file' % (pkcs12_filename, ca_file)) + if len(trust_chain) != 2: + raise ScriptError( + 'trust chain of the server certificate in %s contains %s ' + 'certificates, expected 2' % + (pkcs12_filename, len(trust_chain))) # Check server validity try: |