From c37e83f4b3c19df305648bab9a12e81956c8e232 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Fri, 26 Jun 2015 16:04:00 +0200
Subject: DNSSEC: Detect invalid master keys in LDAP.

This should never happen ...

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 daemons/dnssec/ipa-dnskeysync-replica | 1 +
 1 file changed, 1 insertion(+)

diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index c2c4c2725..551c2f21d 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -74,6 +74,7 @@ def ldap2replica_master_keys_sync(log, ldapkeydb, localhsm):
     log.debug("new master keys in LDAP HSM: %s", hex_set(new_keys))
     for mkey_id in new_keys:
         mkey_ldap = ldapkeydb.master_keys[mkey_id]
+        assert mkey_ldap.wrapped_entries, "Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute" % hexlify(mkey_id)
         for wrapped_ldap in mkey_ldap.wrapped_entries:
             unwrapping_key = find_unwrapping_key(log, localhsm,
                     wrapped_ldap.single_value['ipaWrappingKey'])
-- 
cgit