diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2018-11-13 15:49:49 +1100 |
|---|---|---|
| committer | Christian Heimes <cheimes@redhat.com> | 2018-11-13 14:19:18 +0100 |
| commit | 61e1d7a83bc357751c5eb081f537194565bc7e65 (patch) | |
| tree | fdc8e337cc037889e363f84b4cc82b63d7f9e38a /ipapython | |
| parent | a2a293ed2f40e3688634fc53dccb8d682fd2ab22 (diff) | |
| download | freeipa-61e1d7a83bc357751c5eb081f537194565bc7e65.tar.gz freeipa-61e1d7a83bc357751c5eb081f537194565bc7e65.tar.xz freeipa-61e1d7a83bc357751c5eb081f537194565bc7e65.zip | |
certdb: validate certificate signatures
When verifying a CA certificate, validate its signature. This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes. The '-e' option to 'certutil -V' was the
missing ingredient.
An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test. With this change,
ipa-cacert-manage will reject the certificate:
# ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
Importing the renewed CA certificate, please wait
CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
certificate was signed using a signature algorithm that is
disabled because it is not secure.
Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/certdb.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py index ba7d0afe5..b84d7d3b7 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -933,8 +933,15 @@ class NSSDatabase: raise ValueError("subject key identifier must not be empty") try: - self.run_certutil(['-V', '-n', nickname, '-u', 'L'], - capture_output=True) + self.run_certutil( + [ + '-V', # check validity of cert and attrs + '-n', nickname, + '-u', 'L', # usage; 'L' means "SSL CA" + '-e', # check signature(s); this checks + # key sizes, sig algorithm, etc. + ], + capture_output=True) except ipautil.CalledProcessError as e: # certutil output in case of error is # 'certutil: certificate is invalid: <ERROR_STRING>\n' |