Another attempt at fixing bug 1491053
This commit is contained in:
Alexander Bokovoy
parent
28ce588c87
commit
cca65702ef
74
0007-ipa-p11-kit-fixes.patch
Normal file
74
0007-ipa-p11-kit-fixes.patch
Normal file
@ -0,0 +1,74 @@
|
||||
From 912f42fe943bd407e0bb73df7c6b2ab2031a4f6e Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Laznicka <slaznick@redhat.com>
|
||||
Date: Mon, 16 Oct 2017 13:29:07 +0200
|
||||
Subject: [PATCH] p11-kit: add serial number in DER format
|
||||
|
||||
This causes Firefox to report our CA certificate as not-trustworthy.
|
||||
We were previously doing this correctly, however it slipped as an
|
||||
error due to certificate refactoring.
|
||||
|
||||
https://pagure.io/freeipa/issue/7210
|
||||
---
|
||||
ipalib/x509.py | 7 +++++++
|
||||
ipaplatform/redhat/tasks.py | 4 ++--
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipalib/x509.py b/ipalib/x509.py
|
||||
index 9f7a3c3115..205e2f82d3 100644
|
||||
--- a/ipalib/x509.py
|
||||
+++ b/ipalib/x509.py
|
||||
@@ -123,18 +123,21 @@ def __init__(self, cert, backend=None):
|
||||
# some field types encode-decoding is not strongly defined
|
||||
self._subject = self.__get_der_field('subject')
|
||||
self._issuer = self.__get_der_field('issuer')
|
||||
+ self._serial_number = self.__get_der_field('serialNumber')
|
||||
|
||||
def __getstate__(self):
|
||||
state = {
|
||||
'_cert': self.public_bytes(Encoding.DER),
|
||||
'_subject': self.subject_bytes,
|
||||
'_issuer': self.issuer_bytes,
|
||||
+ '_serial_number': self._serial_number,
|
||||
}
|
||||
return state
|
||||
|
||||
def __setstate__(self, state):
|
||||
self._subject = state['_subject']
|
||||
self._issuer = state['_issuer']
|
||||
+ self._issuer = state['_serial_number']
|
||||
self._cert = crypto_x509.load_der_x509_certificate(
|
||||
state['_cert'], backend=default_backend())
|
||||
|
||||
@@ -216,6 +219,10 @@ def serial_number(self):
|
||||
return self._cert.serial_number
|
||||
|
||||
@property
|
||||
+ def serial_number_bytes(self):
|
||||
+ return self._serial_number
|
||||
+
|
||||
+ @property
|
||||
def version(self):
|
||||
return self._cert.version
|
||||
|
||||
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
|
||||
index 81c9286daf..0e7810f623 100644
|
||||
--- a/ipaplatform/redhat/tasks.py
|
||||
+++ b/ipaplatform/redhat/tasks.py
|
||||
@@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
|
||||
try:
|
||||
subject = cert.subject_bytes
|
||||
issuer = cert.issuer_bytes
|
||||
- serial_number = cert.serial_number
|
||||
+ serial_number = cert.serial_number_bytes
|
||||
public_key_info = cert.public_key_info_bytes
|
||||
except (PyAsn1Error, ValueError, CertificateError) as e:
|
||||
logger.warning(
|
||||
@@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
|
||||
label = urllib.parse.quote(nickname)
|
||||
subject = urllib.parse.quote(subject)
|
||||
issuer = urllib.parse.quote(issuer)
|
||||
- serial_number = urllib.parse.quote(str(serial_number))
|
||||
+ serial_number = urllib.parse.quote(serial_number)
|
||||
public_key_info = urllib.parse.quote(public_key_info)
|
||||
|
||||
obj = ("[p11-kit-object-v1]\n"
|
||||
@ -68,7 +68,7 @@
|
||||
|
||||
Name: freeipa
|
||||
Version: %{VERSION}
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -81,6 +81,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
|
||||
# https://github.com/freeipa/freeipa/pull/1137
|
||||
Patch0002: 0002-ipa-kdb-support-KDB-DAL-version-7.0.patch
|
||||
# https://github.com/freeipa/freeipa/pull/1156
|
||||
Patch0007: 0007-ipa-p11-kit-fixes.patch
|
||||
|
||||
# For the timestamp trick in patch application
|
||||
BuildRequires: diffstat
|
||||
@ -1713,6 +1715,9 @@ fi
|
||||
%endif # with_ipatests
|
||||
|
||||
%changelog
|
||||
* Mon Oct 16 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.1-3
|
||||
- Another attempt at fix for bug #1491053
|
||||
|
||||
* Fri Oct 06 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.1-2
|
||||
- Rebuild against krb5-1.16
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user