diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-07-11 17:39:30 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-07-17 22:14:24 -0400 |
commit | 2f650b60a4ce9c9b19a64b21ebe3051668efb4af (patch) | |
tree | d6280d7277eae4ab726a4c1a201130f9ea4f3a4d /ipaserver/install/cainstance.py | |
parent | 038089a0c9160221d17796b8d6fd6e4f1fb67850 (diff) | |
download | freeipa.git-2f650b60a4ce9c9b19a64b21ebe3051668efb4af.tar.gz freeipa.git-2f650b60a4ce9c9b19a64b21ebe3051668efb4af.tar.xz freeipa.git-2f650b60a4ce9c9b19a64b21ebe3051668efb4af.zip |
Use information from the certificate subject when setting the NSS nickname.
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.
We can instead pull the subject from the certificate and use that as
the nickname.
https://fedorahosted.org/freeipa/ticket/1141
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index fbc566a2..121b651b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -39,6 +39,7 @@ import socket from ipapython import dogtag from ipapython.certdb import get_ca_nickname from ipalib import pkcs10, x509 +from ipalib.dn import DN import subprocess from nss.error import NSPRError @@ -919,7 +920,7 @@ class CAInstance(service.Service): # makes openssl throw up. data = base64.b64decode(chain) - (certs, stderr, returncode) = ipautil.run(["/usr/bin/openssl", + (certlist, stderr, returncode) = ipautil.run(["/usr/bin/openssl", "pkcs7", "-inform", "DER", @@ -932,18 +933,20 @@ class CAInstance(service.Service): st = 1 en = 0 subid = 0 + normalized_base = str(DN(self.subject_base)) while st > 0: - st = certs.find('-----BEGIN', en) - en = certs.find('-----END', en+1) + st = certlist.find('-----BEGIN', en) + en = certlist.find('-----END', en+1) if st > 0: try: (chain_fd, chain_name) = tempfile.mkstemp() - os.write(chain_fd, certs[st:en+25]) + os.write(chain_fd, certlist[st:en+25]) os.close(chain_fd) - if subid == 0: - nick = self.canickname + (rdn, subject) = certs.get_cert_nickname(certlist[st:en+25]) + if subject.lower() == ('CN=Certificate Authority,%s' % normalized_base).lower(): + nick = get_ca_nickname(self.realm) else: - nick = "%s sub %d" % (self.canickname, subid) + nick = subject self.__run_certutil( ['-A', '-t', 'CT,C,C', '-n', nick, '-a', '-i', chain_name] |