[Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs
Fraser Tweedale
ftweedal at redhat.com
Fri Aug 26 05:42:22 UTC 2016
On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote:
> Hi all,
>
> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221.
> It depends on Honza's PR #20
> https://github.com/freeipa/freeipa/pull/20.
>
> Thanks,
> Fraser
>
It does help to attach the patch :)
-------------- next part --------------
From 35ab316731d49d503a66d8621b1812a2eb50d180 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 26 Aug 2016 15:31:13 +1000
Subject: [PATCH] Make host/service cert revocation aware of lightweight CAs
Revocation of host/service certs on host/service deletion is broken
when cert is issued by a lightweight (sub)CA, causing the delete
operation to be aborted. Look up the issuing CA and pass it to
'cert_revoke' to fix the issue.
Fixes: https://fedorahosted.org/freeipa/ticket/6221
---
ipaserver/plugins/service.py | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 04d1916fe989a8651bcc4d44f1914c460be1081c..ada5cd1e6f0d289332d77ec651732ba70843ff65 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -232,19 +232,38 @@ def revoke_certs(certs, logger=None):
logger.info("Problem decoding certificate: %s" % e)
serial = unicode(x509.get_serial_number(cert, x509.DER))
+ issuer = unicode(x509.get_issuer(cert, x509.DER))
try:
- result = api.Command['cert_show'](unicode(serial))['result']
+ # search by serial+issuer, not full cert match
+ results = api.Command['cert_find'](
+ min_serial_number=serial,
+ max_serial_number=serial,
+ issuer=issuer
+ )['result']
+ if len(results) == 0:
+ # Dogtag doesn't know about the cert therefore
+ # we cannot revoke it. Perhaps it was issued by
+ # a 3rd-party CA.
+ continue
+ result = results[0]
except errors.CertificateOperationError:
continue
- if 'revocation_reason' in result:
+ if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}:
continue
- if x509.normalize_certificate(result['certificate']) != cert:
+ if 'cacn' not in result:
+ # cert is known to Dogtag, but CA appears to have been
+ # deleted. We cannot revoke this cert via IPA anymore.
+ # We could go directly to Dogtag to revoke it, but the
+ # issuer's cert should have been revoked so never mind.
continue
try:
- api.Command['cert_revoke'](unicode(serial),
- revocation_reason=4)
+ api.Command['cert_revoke'](
+ serial,
+ cacn=result['cacn'],
+ revocation_reason=4,
+ )
except errors.NotImplementedError:
# some CA's might not implement revoke
pass
--
2.5.5
More information about the Freeipa-devel
mailing list