URL: https://github.com/freeipa/freeipa/pull/1217 Author: pvoborni Title: #1217: [Backport][ipa-4-5] Include the CA basic constraint in CSRs when renewing a CA Action: opened
PR body: """ Opened manually as backport of #963 manual changes done on cherry-pick are: ```diff diff --cc ipaserver/install/ipa_cacert_manage.py index fcbf091,86243d3..0000000 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@@ -309,8 -302,9 +309,9 @@@ class CACertManage(admintool.AdminTool) def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent', profile=''): timeout = api.env.startup_timeout + 60 - logger.debug("resubmitting certmonger request '%s'", self.request_id) + self.log.debug("resubmitting certmonger request '%s'", self.request_id) - certmonger.resubmit_request(self.request_id, ca=ca, profile=profile) + certmonger.resubmit_request(self.request_id, ca=ca, profile=profile, + is_ca=True) try: state = certmonger.wait_for_request(self.request_id, timeout) except RuntimeError: ``` (there was conflict in logging) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1217/head:pr1217 git checkout pr1217
From 42a64c93e277e5e03ac8102abfa322adca5a6582 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Wed, 9 Aug 2017 17:28:35 -0400 Subject: [PATCH] Include the CA basic constraint in CSRs when renewing a CA The CSR generated by `ipa-cacert-manage renew --external-ca` did not include the CA basic constraint: X509v3 Basic Constraints: critical CA:TRUE Add a flag to certmonger::resubmit_request to specify that a CA is being requested. Note that this also sets pathlen to -1 which means an unlimited pathlen. Leave it up to the issuing CA to set this. https://pagure.io/freeipa/issue/7088 Reviewed-By: Florence Blanc-Renaud <fren...@redhat.com> --- ipalib/install/certmonger.py | 13 +++++++++++-- ipaserver/install/ipa_cacert_manage.py | 3 ++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index c286996ee2..d2b782ddb0 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -519,16 +519,25 @@ def modify(request_id, ca=None, profile=None): request.obj_if.modify(update) -def resubmit_request(request_id, ca=None, profile=None): +def resubmit_request(request_id, ca=None, profile=None, is_ca=False): + """ + :param request_id: the certmonger numeric request ID + :param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign + :param profile: the dogtag template profile to use, e.g. SubCA + :param is_ca: boolean that if True adds the CA basic constraint + """ request = _get_request({'nickname': request_id}) if request: - if ca or profile: + if ca or profile or is_ca: update = {} if ca is not None: cm = _certmonger() update['CA'] = cm.obj_if.find_ca_by_nickname(ca) if profile is not None: update['template-profile'] = profile + if is_ca: + update['template-is-ca'] = True + update['template-ca-path-length'] = -1 # no path length request.obj_if.modify(update) request.obj_if.resubmit() diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index fcbf09155a..9607620d6c 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -310,7 +310,8 @@ def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent', profile=''): timeout = api.env.startup_timeout + 60 self.log.debug("resubmitting certmonger request '%s'", self.request_id) - certmonger.resubmit_request(self.request_id, ca=ca, profile=profile) + certmonger.resubmit_request(self.request_id, ca=ca, profile=profile, + is_ca=True) try: state = certmonger.wait_for_request(self.request_id, timeout) except RuntimeError:
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org