ipa-4.12.2-22
- Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud
parent
c07b72dc4a
commit
fe5c3c292a
@ -0,0 +1,81 @@
|
|||||||
|
From 8cfafeffd1ad5266b35a7eb796976e873278f500 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 14 May 2025 10:44:26 +0200
|
||||||
|
Subject: [PATCH] ipatests: add extensions to server certificates for CAless
|
||||||
|
mode
|
||||||
|
|
||||||
|
When installing the server in CA less mode, the tests generate
|
||||||
|
server certificates but some extensions were missing.
|
||||||
|
|
||||||
|
Generate server cert with an Authority Key Identifier extension
|
||||||
|
using the CA's subject key identifier.
|
||||||
|
|
||||||
|
Without this extension, replica installation fails with
|
||||||
|
certificate verify failed: Missing Authority Key Identifier
|
||||||
|
in the step fetching the DM password from the server.
|
||||||
|
|
||||||
|
Add KeyUsage and Extended Key Usage.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9787
|
||||||
|
Related: https://github.com/dogtagpki/pki/issues/5051
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
.../integration/create_caless_pki.py | 34 +++++++++++++++++++
|
||||||
|
1 file changed, 34 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py
|
||||||
|
index 71d804c339cc71bc14e1f819639852e32b54c098..d06f1dd8c328628bd692c2abf3acfc88ba6a7408 100644
|
||||||
|
--- a/ipatests/pytest_ipa/integration/create_caless_pki.py
|
||||||
|
+++ b/ipatests/pytest_ipa/integration/create_caless_pki.py
|
||||||
|
@@ -199,6 +199,20 @@ def profile_server(builder, ca_nick, ca,
|
||||||
|
critical=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
+ if ca:
|
||||||
|
+ try:
|
||||||
|
+ ski_ext = ca.cert.extensions.get_extension_for_class(
|
||||||
|
+ x509.SubjectKeyIdentifier)
|
||||||
|
+ builder = builder.add_extension(
|
||||||
|
+ x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
|
||||||
|
+ ski_ext.value
|
||||||
|
+ ),
|
||||||
|
+ critical=False,
|
||||||
|
+ )
|
||||||
|
+ except x509.ExtensionNotFound:
|
||||||
|
+ # if the CA doesn't have a SKI, just ignore
|
||||||
|
+ pass
|
||||||
|
+
|
||||||
|
if badusage:
|
||||||
|
builder = builder.add_extension(
|
||||||
|
x509.KeyUsage(
|
||||||
|
@@ -214,6 +228,26 @@ def profile_server(builder, ca_nick, ca,
|
||||||
|
),
|
||||||
|
critical=False
|
||||||
|
)
|
||||||
|
+ else:
|
||||||
|
+ builder = builder.add_extension(
|
||||||
|
+ x509.KeyUsage(
|
||||||
|
+ digital_signature=True,
|
||||||
|
+ content_commitment=False,
|
||||||
|
+ key_encipherment=True,
|
||||||
|
+ data_encipherment=True,
|
||||||
|
+ key_agreement=False,
|
||||||
|
+ key_cert_sign=False,
|
||||||
|
+ crl_sign=False,
|
||||||
|
+ encipher_only=False,
|
||||||
|
+ decipher_only=False
|
||||||
|
+ ),
|
||||||
|
+ critical=False
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ builder = builder.add_extension(
|
||||||
|
+ x509.ExtendedKeyUsage([x509.ObjectIdentifier('1.3.6.1.5.5.7.3.1')]),
|
||||||
|
+ critical=False,
|
||||||
|
+ )
|
||||||
|
|
||||||
|
if wildcard:
|
||||||
|
names = [x509.DNSName(u'*.' + domain)]
|
||||||
|
--
|
||||||
|
2.50.1
|
||||||
|
|
||||||
@ -231,7 +231,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 21%{?rc_version:.%rc_version}%{?dist}
|
Release: 22%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPL-3.0-or-later
|
License: GPL-3.0-or-later
|
||||||
@ -362,6 +362,7 @@ Patch0104: 0104-Use-correct-capitalization-for-GitHub-and-GitLab.patch
|
|||||||
Patch0105: 0105-kdb-prevent-double-crash-in-RBCD-ACL-free.patch
|
Patch0105: 0105-kdb-prevent-double-crash-in-RBCD-ACL-free.patch
|
||||||
Patch0106: 0106-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch
|
Patch0106: 0106-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch
|
||||||
Patch0107: 0107-dns-disable-all-previous-Unbound-configuration-befor.patch
|
Patch0107: 0107-dns-disable-all-previous-Unbound-configuration-befor.patch
|
||||||
|
Patch0108: 0108-ipatests-add-extensions-to-server-certificates-for-C.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
@ -2015,6 +2016,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 25 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22
|
||||||
|
- Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate
|
||||||
|
|
||||||
* Mon Aug 18 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.12.2-21
|
* Mon Aug 18 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.12.2-21
|
||||||
- Resolves: RHEL-109768 Revert allow update of Kerberos master key
|
- Resolves: RHEL-109768 Revert allow update of Kerberos master key
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user