From 912f42fe943bd407e0bb73df7c6b2ab2031a4f6e Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Mon, 16 Oct 2017 13:29:07 +0200 Subject: [PATCH] p11-kit: add serial number in DER format This causes Firefox to report our CA certificate as not-trustworthy. We were previously doing this correctly, however it slipped as an error due to certificate refactoring. https://pagure.io/freeipa/issue/7210 --- ipalib/x509.py | 7 +++++++ ipaplatform/redhat/tasks.py | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index 9f7a3c3115..205e2f82d3 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -123,18 +123,21 @@ def __init__(self, cert, backend=None): # some field types encode-decoding is not strongly defined self._subject = self.__get_der_field('subject') self._issuer = self.__get_der_field('issuer') + self._serial_number = self.__get_der_field('serialNumber') def __getstate__(self): state = { '_cert': self.public_bytes(Encoding.DER), '_subject': self.subject_bytes, '_issuer': self.issuer_bytes, + '_serial_number': self._serial_number, } return state def __setstate__(self, state): self._subject = state['_subject'] self._issuer = state['_issuer'] + self._issuer = state['_serial_number'] self._cert = crypto_x509.load_der_x509_certificate( state['_cert'], backend=default_backend()) @@ -216,6 +219,10 @@ def serial_number(self): return self._cert.serial_number @property + def serial_number_bytes(self): + return self._serial_number + + @property def version(self): return self._cert.version diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 81c9286daf..0e7810f623 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): try: subject = cert.subject_bytes issuer = cert.issuer_bytes - serial_number = cert.serial_number + serial_number = cert.serial_number_bytes public_key_info = cert.public_key_info_bytes except (PyAsn1Error, ValueError, CertificateError) as e: logger.warning( @@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): label = urllib.parse.quote(nickname) subject = urllib.parse.quote(subject) issuer = urllib.parse.quote(issuer) - serial_number = urllib.parse.quote(str(serial_number)) + serial_number = urllib.parse.quote(serial_number) public_key_info = urllib.parse.quote(public_key_info) obj = ("[p11-kit-object-v1]\n"