Add Subject Key Identifier to CA cert validity check

CA certificates MUST have the Subject Key Identifier extension to facilitiate certification path construction. Not having this extension on the IPA CA certificate will cause failures in Dogtag during signing; it tries to copy the CA's Subject Key Identifier to the new certificate's Authority Key Identifier extension, which fails. When installing an externally-signed CA, check that the Subject Key Identifier extension is present in the CA certificate. Fixes: https://pagure.io/freeipa/issue/6976 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
author: Fraser Tweedale <ftweedal@redhat.com> 2017-05-25 15:42:58 +1000
committer: Martin Basti <mbasti@redhat.com> 2017-05-30 12:39:15 +0200
commit: bc6d4995144505c45a62320c71f503b54f68a962 (patch)
tree: 81e2254f94057b562778aff17c2c90ba4df5563a /ipapython
parent: d73ec06cb3c8042f90d1520485aa9b0f2e7c8fbe (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index fa6995d3d..8c5382191 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -717,6 +717,12 @@ class NSSDatabase(object):
             raise ValueError("not a CA certificate")
 
         try:
+            cert.extensions.get_extension_for_class(
+                    cryptography.x509.SubjectKeyIdentifier)
+        except cryptography.x509.ExtensionNotFound:
+            raise ValueError("missing subject key identifier extension")
+
+        try:
             self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
                               capture_output=True)
         except ipautil.CalledProcessError as e:
author	Fraser Tweedale <ftweedal@redhat.com>	2017-05-25 15:42:58 +1000
committer	Martin Basti <mbasti@redhat.com>	2017-05-30 12:39:15 +0200
commit	bc6d4995144505c45a62320c71f503b54f68a962 (patch)
tree	81e2254f94057b562778aff17c2c90ba4df5563a /ipapython
parent	d73ec06cb3c8042f90d1520485aa9b0f2e7c8fbe (diff)