Verify external CA's basic constraint pathlen

IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.

Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 13 insertions, 1 deletions

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 3a38b2fea..294c160a2 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -541,6 +541,9 @@ class NSSDatabase:
     def get_trust_chain(self, nickname):
         """Return names of certs in a given cert's trust chain
 
+        The list starts with root ca, then first intermediate CA, second
+        intermediate, and so on.
+
         :param nickname: Name of the cert
         :return: List of certificate names
         """
@@ -912,7 +915,7 @@ class NSSDatabase:
         except ValueError:
             raise ValueError('invalid for server %s' % hostname)
 
-    def verify_ca_cert_validity(self, nickname):
+    def verify_ca_cert_validity(self, nickname, minpathlen=None):
         cert = self.get_cert(nickname)
 
         if not cert.subject:
@@ -926,6 +929,15 @@ class NSSDatabase:
 
         if not bc.value.ca:
             raise ValueError("not a CA certificate")
+        if minpathlen is not None:
+            # path_length is None means no limitation
+            pl = bc.value.path_length
+            if pl is not None and pl < minpathlen:
+                raise ValueError(
+                    "basic contraint pathlen {}, must be at least {}".format(
+                        pl, minpathlen
+                    )
+                )
 
         try:
             ski = cert.extensions.get_extension_for_class(