Hi, For CA certificates that are not certificates of IPA CA, we incorrectly set the trust flags to ",,", regardless what the actual trust_flags parameter was passed.
Make the load_cacert method respect trust_flags and make "C,," default set of trust flags. https://fedorahosted.org/freeipa/ticket/4779 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org
>From dacea08e7f33451788f464907385f5ac88f1db4e Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Tue, 2 Dec 2014 13:13:51 +0100 Subject: [PATCH] certs: Fix incorrect flag handling in load_cacert For CA certificates that are not certificates of IPA CA, we incorrectly set the trust flags to ",,", regardless what the actual trust_flags parameter was passed. Make the load_cacert method respect trust_flags and make "C,," default set of trust flags. https://fedorahosted.org/freeipa/ticket/4779 --- ipaserver/install/certs.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 5399a0fa566c6f7df81a9d1e347f6ac99e5188c9..5a37acb2d2dbbd3193e59643add4c63f297ae2fe 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -238,7 +238,7 @@ class CertDB(object): "-k", self.passwd_fname]) self.set_perms(self.pk12_fname) - def load_cacert(self, cacert_fname, trust_flags='C,,'): + def load_cacert(self, cacert_fname, trust_flags=None): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. @@ -255,11 +255,9 @@ class CertDB(object): (rdn, subject_dn) = get_cert_nickname(cert) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) - tf = trust_flags else: nick = str(subject_dn) - tf = ',,' - self.nssdb.add_cert(cert, nick, tf, pem=True) + self.nssdb.add_cert(cert, nick, trust_flags or "C,,", pem=True) except RuntimeError: break -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel