diff options
| author | Tomas Babej <tbabej@redhat.com> | 2014-12-02 13:13:51 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2014-12-02 14:44:42 +0000 |
| commit | faec4ef9de431a1b72423be8ce6cea28a7221531 (patch) | |
| tree | f45d2ac529edf63547aa8d5acdc003ea7f109cdd | |
| parent | 79d9c4943617bf57fde4a38325cbc9a14d0ff495 (diff) | |
| download | freeipa-faec4ef9de431a1b72423be8ce6cea28a7221531.tar.gz freeipa-faec4ef9de431a1b72423be8ce6cea28a7221531.tar.xz freeipa-faec4ef9de431a1b72423be8ce6cea28a7221531.zip | |
certs: Fix incorrect flag handling in load_cacert
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make it a required
argument.
https://fedorahosted.org/freeipa/ticket/4779
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
| -rw-r--r-- | ipaserver/install/certs.py | 6 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 2 |
2 files changed, 3 insertions, 5 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 5399a0fa5..7292cbbe3 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -238,7 +238,7 @@ class CertDB(object): "-k", self.passwd_fname]) self.set_perms(self.pk12_fname) - def load_cacert(self, cacert_fname, trust_flags='C,,'): + def load_cacert(self, cacert_fname, trust_flags): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. @@ -255,11 +255,9 @@ class CertDB(object): (rdn, subject_dn) = get_cert_nickname(cert) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) - tf = trust_flags else: nick = str(subject_dn) - tf = ',,' - self.nssdb.add_cert(cert, nick, tf, pem=True) + self.nssdb.add_cert(cert, nick, trust_flags, pem=True) except RuntimeError: break diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 06c13c21d..66267f4cd 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -840,7 +840,7 @@ class DsInstance(service.Service): certdb.cacert_name = cacert_name status = True try: - certdb.load_cacert(cacert_fname) + certdb.load_cacert(cacert_fname, 'C,,') except ipautil.CalledProcessError, e: root_logger.critical("Error importing CA cert file named [%s]: %s" % (cacert_fname, str(e))) |