On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: > Hi all, > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. > It depends on Honza's PR #20 > https://github.com/freeipa/freeipa/pull/20. > > Thanks, > Fraser > It does help to attach the patch :)
From 35ab316731d49d503a66d8621b1812a2eb50d180 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 26 Aug 2016 15:31:13 +1000 Subject: [PATCH] Make host/service cert revocation aware of lightweight CAs
Revocation of host/service certs on host/service deletion is broken when cert is issued by a lightweight (sub)CA, causing the delete operation to be aborted. Look up the issuing CA and pass it to 'cert_revoke' to fix the issue. Fixes: https://fedorahosted.org/freeipa/ticket/6221 --- ipaserver/plugins/service.py | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 04d1916fe989a8651bcc4d44f1914c460be1081c..ada5cd1e6f0d289332d77ec651732ba70843ff65 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -232,19 +232,38 @@ def revoke_certs(certs, logger=None): logger.info("Problem decoding certificate: %s" % e) serial = unicode(x509.get_serial_number(cert, x509.DER)) + issuer = unicode(x509.get_issuer(cert, x509.DER)) try: - result = api.Command['cert_show'](unicode(serial))['result'] + # search by serial+issuer, not full cert match + results = api.Command['cert_find']( + min_serial_number=serial, + max_serial_number=serial, + issuer=issuer + )['result'] + if len(results) == 0: + # Dogtag doesn't know about the cert therefore + # we cannot revoke it. Perhaps it was issued by + # a 3rd-party CA. + continue + result = results[0] except errors.CertificateOperationError: continue - if 'revocation_reason' in result: + if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: continue - if x509.normalize_certificate(result['certificate']) != cert: + if 'cacn' not in result: + # cert is known to Dogtag, but CA appears to have been + # deleted. We cannot revoke this cert via IPA anymore. + # We could go directly to Dogtag to revoke it, but the + # issuer's cert should have been revoked so never mind. continue try: - api.Command['cert_revoke'](unicode(serial), - revocation_reason=4) + api.Command['cert_revoke']( + serial, + cacn=result['cacn'], + revocation_reason=4, + ) except errors.NotImplementedError: # some CA's might not implement revoke pass -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code