ipa/0007-ipa-p11-kit-fixes.patch

From 912f42fe943bd407e0bb73df7c6b2ab2031a4f6e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Mon, 16 Oct 2017 13:29:07 +0200
Subject: [PATCH] p11-kit: add serial number in DER format

This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.

https://pagure.io/freeipa/issue/7210
---
 ipalib/x509.py              | 7 +++++++
 ipaplatform/redhat/tasks.py | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 9f7a3c3115..205e2f82d3 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -123,18 +123,21 @@ def __init__(self, cert, backend=None):
         # some field types encode-decoding is not strongly defined
         self._subject = self.__get_der_field('subject')
         self._issuer = self.__get_der_field('issuer')
+        self._serial_number = self.__get_der_field('serialNumber')
 
     def __getstate__(self):
         state = {
             '_cert': self.public_bytes(Encoding.DER),
             '_subject': self.subject_bytes,
             '_issuer': self.issuer_bytes,
+            '_serial_number': self._serial_number,
         }
         return state
 
     def __setstate__(self, state):
         self._subject = state['_subject']
         self._issuer = state['_issuer']
+        self._issuer = state['_serial_number']
         self._cert = crypto_x509.load_der_x509_certificate(
             state['_cert'], backend=default_backend())
 
@@ -216,6 +219,10 @@ def serial_number(self):
         return self._cert.serial_number
 
     @property
+    def serial_number_bytes(self):
+        return self._serial_number
+
+    @property
     def version(self):
         return self._cert.version
 
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 81c9286daf..0e7810f623 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
             try:
                 subject = cert.subject_bytes
                 issuer = cert.issuer_bytes
-                serial_number = cert.serial_number
+                serial_number = cert.serial_number_bytes
                 public_key_info = cert.public_key_info_bytes
             except (PyAsn1Error, ValueError, CertificateError) as e:
                 logger.warning(
@@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
             label = urllib.parse.quote(nickname)
             subject = urllib.parse.quote(subject)
             issuer = urllib.parse.quote(issuer)
-            serial_number = urllib.parse.quote(str(serial_number))
+            serial_number = urllib.parse.quote(serial_number)
             public_key_info = urllib.parse.quote(public_key_info)
 
             obj = ("[p11-kit-object-v1]\n"
Another attempt at fixing bug 1491053 2017-10-16 18:56:03 +00:00			`From 912f42fe943bd407e0bb73df7c6b2ab2031a4f6e Mon Sep 17 00:00:00 2001`
			`From: Stanislav Laznicka <slaznick@redhat.com>`
			`Date: Mon, 16 Oct 2017 13:29:07 +0200`
			`Subject: [PATCH] p11-kit: add serial number in DER format`

			`This causes Firefox to report our CA certificate as not-trustworthy.`
			`We were previously doing this correctly, however it slipped as an`
			`error due to certificate refactoring.`

			`https://pagure.io/freeipa/issue/7210`
			`---`
			`ipalib/x509.py \| 7 +++++++`
			`ipaplatform/redhat/tasks.py \| 4 ++--`
			`2 files changed, 9 insertions(+), 2 deletions(-)`

			`diff --git a/ipalib/x509.py b/ipalib/x509.py`
			`index 9f7a3c3115..205e2f82d3 100644`
			`--- a/ipalib/x509.py`
			`+++ b/ipalib/x509.py`
			`@@ -123,18 +123,21 @@ def __init__(self, cert, backend=None):`
			`# some field types encode-decoding is not strongly defined`
			`self._subject = self.__get_der_field('subject')`
			`self._issuer = self.__get_der_field('issuer')`
			`+ self._serial_number = self.__get_der_field('serialNumber')`

			`def __getstate__(self):`
			`state = {`
			`'_cert': self.public_bytes(Encoding.DER),`
			`'_subject': self.subject_bytes,`
			`'_issuer': self.issuer_bytes,`
			`+ '_serial_number': self._serial_number,`
			`}`
			`return state`

			`def __setstate__(self, state):`
			`self._subject = state['_subject']`
			`self._issuer = state['_issuer']`
			`+ self._issuer = state['_serial_number']`
			`self._cert = crypto_x509.load_der_x509_certificate(`
			`state['_cert'], backend=default_backend())`

			`@@ -216,6 +219,10 @@ def serial_number(self):`
			`return self._cert.serial_number`

			`@property`
			`+ def serial_number_bytes(self):`
			`+ return self._serial_number`
			`+`
			`+ @property`
			`def version(self):`
			`return self._cert.version`

			`diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py`
			`index 81c9286daf..0e7810f623 100644`
			`--- a/ipaplatform/redhat/tasks.py`
			`+++ b/ipaplatform/redhat/tasks.py`
			`@@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):`
			`try:`
			`subject = cert.subject_bytes`
			`issuer = cert.issuer_bytes`
			`- serial_number = cert.serial_number`
			`+ serial_number = cert.serial_number_bytes`
			`public_key_info = cert.public_key_info_bytes`
			`except (PyAsn1Error, ValueError, CertificateError) as e:`
			`logger.warning(`
			`@@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):`
			`label = urllib.parse.quote(nickname)`
			`subject = urllib.parse.quote(subject)`
			`issuer = urllib.parse.quote(issuer)`
			`- serial_number = urllib.parse.quote(str(serial_number))`
			`+ serial_number = urllib.parse.quote(serial_number)`
			`public_key_info = urllib.parse.quote(public_key_info)`

			`obj = ("[p11-kit-object-v1]\n"`