URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733
From d1d8fdf8e3119067b34164e63e893846803c9fff Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 26 Apr 2017 08:19:27 +0200 Subject: [PATCH] Fix CA/server cert validation in FIPS In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 --- ipapython/certdb.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index f1410e5..2f45261 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0): return (cert, e) +def get_file_cont(slot, token, filename): + with open(filename) as f: + return f.read() + + class NSSDatabase(object): """A general-purpose wrapper around a NSS cert database @@ -547,12 +552,14 @@ def verify_server_cert_validity(self, nickname, hostname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) + nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer try: - approved_usage = cert.verify_now(certdb, True, intended_usage) + approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: raise ValueError(e.strerror) @@ -572,6 +579,7 @@ def verify_ca_cert_validity(self, nickname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) + nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) @@ -586,7 +594,8 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") intended_usage = nss.certificateUsageSSLCA try: - approved_usage = cert.verify_now(certdb, True, intended_usage) + approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE raise ValueError(e.strerror)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code