diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-12-04 08:15:46 +0000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2014-12-10 17:07:05 +0000 |
commit | f7f3c83748b3b5d5d968cc3c72145f3c5f23cd8b (patch) | |
tree | 2d411c34e102884dc0284d9ef44f9e4040c5ae72 /ipaserver/install/ipa_cacert_manage.py | |
parent | 337faf506462a01c6dbcd00f2039ed5627691864 (diff) | |
download | freeipa-f7f3c83748b3b5d5d968cc3c72145f3c5f23cd8b.tar.gz freeipa-f7f3c83748b3b5d5d968cc3c72145f3c5f23cd8b.tar.xz freeipa-f7f3c83748b3b5d5d968cc3c72145f3c5f23cd8b.zip |
Check subject name encoding in ipa-cacert-manage renew
https://fedorahosted.org/freeipa/ticket/4781
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaserver/install/ipa_cacert_manage.py')
-rw-r--r-- | ipaserver/install/ipa_cacert_manage.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 2a8d95fdb..8fda6a263 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -213,18 +213,21 @@ class CACertManage(admintool.AdminTool): try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject + der_subject = x509.get_der_subject(old_cert, x509.DER) #pylint: disable=E1101 pkinfo = nss_cert.subject_public_key_info.format() #pylint: enable=E1101 nss_cert = x509.load_certificate_from_file(cert_file.name) + cert = nss_cert.der_data if nss_cert.subject != subject: raise admintool.ScriptError("Subject name mismatch") + if x509.get_der_subject(cert, x509.DER) != der_subject: + raise admintool.ScriptError("Subject name encoding mismatch") #pylint: disable=E1101 if nss_cert.subject_public_key_info.format() != pkinfo: raise admintool.ScriptError("Subject public key info mismatch") #pylint: enable=E1101 - cert = nss_cert.der_data finally: del nss_cert nss.nss_shutdown() @@ -238,7 +241,7 @@ class CACertManage(admintool.AdminTool): tmpdb.add_cert(cert, 'IPA CA', 'C,,') except ipautil.CalledProcessError, e: raise admintool.ScriptError( - "Not compatible with the current CA certificate: %s", e) + "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: |