[Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs

Fraser Tweedale ftweedal at redhat.com
Fri Aug 26 05:42:22 UTC 2016 

On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote:
> Hi all,
> 
> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221.
> It depends on Honza's PR #20
> https://github.com/freeipa/freeipa/pull/20.
> 
> Thanks,
> Fraser
> 
It does help to attach the patch :)
-------------- next part --------------
From 35ab316731d49d503a66d8621b1812a2eb50d180 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 26 Aug 2016 15:31:13 +1000
Subject: [PATCH] Make host/service cert revocation aware of lightweight CAs

Revocation of host/service certs on host/service deletion is broken
when cert is issued by a lightweight (sub)CA, causing the delete
operation to be aborted.  Look up the issuing CA and pass it to
'cert_revoke' to fix the issue.

Fixes: https://fedorahosted.org/freeipa/ticket/6221
---
 ipaserver/plugins/service.py | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 04d1916fe989a8651bcc4d44f1914c460be1081c..ada5cd1e6f0d289332d77ec651732ba70843ff65 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -232,19 +232,38 @@ def revoke_certs(certs, logger=None):
                 logger.info("Problem decoding certificate: %s" % e)
 
         serial = unicode(x509.get_serial_number(cert, x509.DER))
+        issuer = unicode(x509.get_issuer(cert, x509.DER))
 
         try:
-            result = api.Command['cert_show'](unicode(serial))['result']
+            # search by serial+issuer, not full cert match
+            results = api.Command['cert_find'](
+                min_serial_number=serial,
+                max_serial_number=serial,
+                issuer=issuer
+            )['result']
+            if len(results) == 0:
+                # Dogtag doesn't know about the cert therefore
+                # we cannot revoke it.  Perhaps it was issued by
+                # a 3rd-party CA.
+                continue
+            result = results[0]
         except errors.CertificateOperationError:
             continue
-        if 'revocation_reason' in result:
+        if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}:
             continue
-        if x509.normalize_certificate(result['certificate']) != cert:
+        if 'cacn' not in result:
+            # cert is known to Dogtag, but CA appears to have been
+            # deleted.  We cannot revoke this cert via IPA anymore.
+            # We could go directly to Dogtag to revoke it, but the
+            # issuer's cert should have been revoked so never mind.
             continue
 
         try:
-            api.Command['cert_revoke'](unicode(serial),
-                                       revocation_reason=4)
+            api.Command['cert_revoke'](
+                serial,
+                cacn=result['cacn'],
+                revocation_reason=4,
+            )
         except errors.NotImplementedError:
             # some CA's might not implement revoke
             pass
-- 
2.5.5

More information about the Freeipa-devel mailing list