This is an automated email from the git hooks/post-receive script.
mhonek pushed a commit to branch 389-ds-base-1.4.2
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.2 by this push:
new 483f0d2 Issue 50952- SSCA lacks basicConstraint:CA
483f0d2 is described below
commit 483f0d25b3ddd0cdfdf3289478088f16874e068c
Author: Matus Honek <mhonek@redhat.com>
AuthorDate: Thu Mar 12 15:45:53 2020 +0100
Issue 50952- SSCA lacks basicConstraint:CA
Bug Description:
SSCA CA cert lacks basicConstraint:CA and for that reason it may not be
acknowledged as a CA cert by some tools, e.g. in case of system-wide
update-ca-trust tool.
Fix Description:
Add the constraint while generating the cert. And yes, we need to use stdin
since certutil does not provide a silent mode for this option.
Fixes https://pagure.io/389-ds-base/issue/50952
Author: Matus Honek <mhonek@redhat.com>
Review by: Mark, William (thanks!)
(cherry picked from commit aca3ae8039e319c684b4418789127824783e7ac1)
---
src/lib389/lib389/nss_ssl.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py
index 205773e..a772c5e 100644
--- a/src/lib389/lib389/nss_ssl.py
+++ b/src/lib389/lib389/nss_ssl.py
@@ -19,7 +19,7 @@ import logging
# from nss import nss
import subprocess
from datetime import datetime, timedelta, date
-from subprocess import check_output
+from subprocess import check_output, run
from lib389.passwd import password_generate
from lib389.lint import DSCERTLE0001, DSCERTLE0002
from lib389.utils import ensure_str, format_cmd_list
@@ -242,6 +242,7 @@ only.
'CT,,',
'-v',
'%s' % months,
+ '-2',
'--keyUsage',
'certSigning',
'-d',
@@ -251,8 +252,9 @@ only.
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
+ cmd_input = b'y\n\n' # responses to certutil questions
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
- result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
+ result = ensure_str(run(cmd, check=True, capture_output=True, input=cmd_input).stdout)
self.log.debug("nss output: %s", result)
# Now extract the CAcert to a well know place.
# This allows us to point the cacert dir here and it "just works"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org
No comments:
Post a Comment