[389-commits] [389-ds-base] branch 389-ds-base-1.4.1 updated: Issue 50952- SSCA lacks basicConstraint:CA

This is an automated email from the git hooks/post-receive script.

mhonek pushed a commit to branch 389-ds-base-1.4.1
in repository 389-ds-base.

The following commit(s) were added to refs/heads/389-ds-base-1.4.1 by this push:
new 9c5cfbd Issue 50952- SSCA lacks basicConstraint:CA
9c5cfbd is described below

commit 9c5cfbd267e067a17bcc34b6e085e78cb860e0b0
Author: Matus Honek <mhonek@redhat.com>
AuthorDate: Thu Mar 12 15:45:53 2020 +0100

Issue 50952- SSCA lacks basicConstraint:CA

Bug Description:
SSCA CA cert lacks basicConstraint:CA and for that reason it may not be
acknowledged as a CA cert by some tools, e.g. in case of system-wide
update-ca-trust tool.

Fix Description:
Add the constraint while generating the cert. And yes, we need to use stdin
since certutil does not provide a silent mode for this option.

Fixes https://pagure.io/389-ds-base/issue/50952

Author: Matus Honek <mhonek@redhat.com>

Review by: Mark, William (thanks!)

(cherry picked from commit aca3ae8039e319c684b4418789127824783e7ac1)
---
src/lib389/lib389/nss_ssl.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py
index 02acf88..9c5b972 100644
--- a/src/lib389/lib389/nss_ssl.py
+++ b/src/lib389/lib389/nss_ssl.py
@@ -19,7 +19,7 @@ import logging
# from nss import nss
import subprocess
from datetime import datetime, timedelta, date
-from subprocess import check_output
+from subprocess import check_output, run
from lib389.passwd import password_generate
from lib389.lint import DSCERTLE0001, DSCERTLE0002
from lib389.utils import ensure_str, format_cmd_list
@@ -242,6 +242,7 @@ only.
'CT,,',
'-v',
'%s' % months,
+ '-2',
'--keyUsage',
'certSigning',
'-d',
@@ -251,8 +252,9 @@ only.
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
+ cmd_input = b'y\n\n' # responses to certutil questions
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
- result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
+ result = ensure_str(run(cmd, check=True, capture_output=True, input=cmd_input).stdout)
self.log.debug("nss output: %s", result)
# Now extract the CAcert to a well know place.
# This allows us to point the cacert dir here and it "just works"

--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org