Another attempt at fixing bug 1491053

0007-ipa-p11-kit-fixes.patch

@@ -0,0 +1,74 @@
+From 912f42fe943bd407e0bb73df7c6b2ab2031a4f6e Mon Sep 17 00:00:00 2001
+From: Stanislav Laznicka <slaznick@redhat.com>
+Date: Mon, 16 Oct 2017 13:29:07 +0200
+Subject: [PATCH] p11-kit: add serial number in DER format
+
+This causes Firefox to report our CA certificate as not-trustworthy.
+We were previously doing this correctly, however it slipped as an
+error due to certificate refactoring.
+
+https://pagure.io/freeipa/issue/7210
+---
+ ipalib/x509.py              | 7 +++++++
+ ipaplatform/redhat/tasks.py | 4 ++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/ipalib/x509.py b/ipalib/x509.py
+index 9f7a3c3115..205e2f82d3 100644
+--- a/ipalib/x509.py
++++ b/ipalib/x509.py
+@@ -123,18 +123,21 @@ def __init__(self, cert, backend=None):
+         # some field types encode-decoding is not strongly defined
+         self._subject = self.__get_der_field('subject')
+         self._issuer = self.__get_der_field('issuer')
++        self._serial_number = self.__get_der_field('serialNumber')
+ 
+     def __getstate__(self):
+         state = {
+             '_cert': self.public_bytes(Encoding.DER),
+             '_subject': self.subject_bytes,
+             '_issuer': self.issuer_bytes,
++            '_serial_number': self._serial_number,
+         }
+         return state
+ 
+     def __setstate__(self, state):
+         self._subject = state['_subject']
+         self._issuer = state['_issuer']
++        self._issuer = state['_serial_number']
+         self._cert = crypto_x509.load_der_x509_certificate(
+             state['_cert'], backend=default_backend())
+ 
+@@ -216,6 +219,10 @@ def serial_number(self):
+         return self._cert.serial_number
+ 
+     @property
++    def serial_number_bytes(self):
++        return self._serial_number
++
++    @property
+     def version(self):
+         return self._cert.version
+ 
+diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
+index 81c9286daf..0e7810f623 100644
+--- a/ipaplatform/redhat/tasks.py
++++ b/ipaplatform/redhat/tasks.py
+@@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
+             try:
+                 subject = cert.subject_bytes
+                 issuer = cert.issuer_bytes
+-                serial_number = cert.serial_number
++                serial_number = cert.serial_number_bytes
+                 public_key_info = cert.public_key_info_bytes
+             except (PyAsn1Error, ValueError, CertificateError) as e:
+                 logger.warning(
+@@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
+             label = urllib.parse.quote(nickname)
+             subject = urllib.parse.quote(subject)
+             issuer = urllib.parse.quote(issuer)
+-            serial_number = urllib.parse.quote(str(serial_number))
++            serial_number = urllib.parse.quote(serial_number)
+             public_key_info = urllib.parse.quote(public_key_info)
+ 
+             obj = ("[p11-kit-object-v1]\n"

freeipa.spec

@@ -68,7 +68,7 @@
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -81,6 +81,8 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
 # https://github.com/freeipa/freeipa/pull/1137
 Patch0002:      0002-ipa-kdb-support-KDB-DAL-version-7.0.patch
+# https://github.com/freeipa/freeipa/pull/1156
+Patch0007:      0007-ipa-p11-kit-fixes.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -1713,6 +1715,9 @@ fi
 %endif # with_ipatests
 
 %changelog
+* Mon Oct 16 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.1-3
+- Another attempt at fix for bug #1491053
+
 * Fri Oct 06 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.1-2
 - Rebuild against krb5-1.16