[Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer

Jan Cholasta jcholast at redhat.com
Tue Jun 7 13:24:06 UTC 2011 

On 6.6.2011 21:25, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 26.4.2011 22:52, Rob Crittenden wrote:
>>> The goal is to not import foreign certificates.
>>>
>>> This caused a bunch of tests to fail because we had a hardcoded server
>>> certificate. Instead a developer will need to run make-testcert to
>>> create a server certificate generated by the local CA to test against.
>>>
>>> ticket 1134
>>>
>>> rob
>>>
>>
>> NACK
>>
>> The certificate isn't verified in host-add.
>>
>> I suspect that certificates signed by an intermediate CA (i.e. when the
>> certificate chain length > 2) are considered invalid. Is that the
>> desired behavior?
>
> That will work as long as the issuer is the IPA CA. I see that if we are
> given a service cert issued by another CA in the chain things could go
> badly. I'm not sure this is something to really worry about though.

I guess it's not. But I'd like a second opinion on that.

>
>>
>> make-testcert fails with:
>>
>> Traceback (most recent call last):
>> File "./make-testcert", line 126, in <module>
>> sys.exit(makecert(reqdir))
>> File "./make-testcert", line 105, in makecert
>> add=True)
>> File "./make-testcert", line 66, in run
>> result = self.execute(method, *args, **options)
>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute
>> raise error #pylint: disable=E0702
>> ipalib.errors.CommandError: unknown command 'cert_request'
>>
>> This is probably an error on my part (tried running in on both my
>> machine without IPA installed and on VM with IPA installed with no
>> luck), but nonetheless it should be fixed to fail gracefully so that the
>> tests in "make test" have a chance to run. Similarly, the tests which
>> use the test certificate created by make-testcert should be skipped if
>> the certificate isn't available.
>
> You need to take the certificate databases from a self-signed install
> and copy them to ~/.ipa/alias/ in order to do certificate testing. There
> is documentation on how to do this in tests/test_xmlrpc/test_cert.py
>
> I think this should be mandatory as certificates are a main feature of v2.

No matter what I do, I'm still getting the unknown command error. Can 
you describe the steps needed to make make-testcert successfully run?

BTW, it would be nice if "make test" printed an informational message 
when the requirements to run the tests aren't met instead of failing 
with some random error.

>
> rob

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list