[Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert

[Tomas Babej]

Hi,

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.

https://fedorahosted.org/freeipa/ticket/4779

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 



>From dacea08e7f33451788f464907385f5ac88f1db4e Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Tue, 2 Dec 2014 13:13:51 +0100
Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.

https://fedorahosted.org/freeipa/ticket/4779
---
 ipaserver/install/certs.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..5a37acb2d2dbbd3193e59643add4c63f297ae2fe 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -238,7 +238,7 @@ class CertDB(object):
                          "-k", self.passwd_fname])
             self.set_perms(self.pk12_fname)
 
-    def load_cacert(self, cacert_fname, trust_flags='C,,'):
+    def load_cacert(self, cacert_fname, trust_flags=None):
         """
         Load all the certificates from a given file. It is assumed that
         this file creates CA certificates.
@@ -255,11 +255,9 @@ class CertDB(object):
                 (rdn, subject_dn) = get_cert_nickname(cert)
                 if subject_dn == ca_dn:
                     nick = get_ca_nickname(self.realm)
-                    tf = trust_flags
                 else:
                     nick = str(subject_dn)
-                    tf = ',,'
-                self.nssdb.add_cert(cert, nick, tf, pem=True)
+                self.nssdb.add_cert(cert, nick, trust_flags or "C,,", pem=True)
             except RuntimeError:
                 break
 
-- 
1.9.3


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel