rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity
c10s
ipa/0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch
Florence Blanc-Renaud 1e38d43370 ipa-4.12.2-8 
- Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers
- Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred
- Resolves: RHEL-57674 Use RSNv3 and enable cert pruning by default in RHEL 10.0

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2024-11-27 19:43:17 +01:00

66 lines
2.7 KiB
Diff
Raw Permalink Blame History

From 0eafb03110b6ae4c80680e5c451661e1cf41db77 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 21 Nov 2024 11:39:12 -0500
Subject: [PATCH] Don't drop certificates in cert-find if the LWCA was removed
The cert-find command wants to return the IPA CA name of the
issued certificates. If the CA was removed then the certificate
is skipped in the output. This basically black holes any certificates
issued by the LWCA.
It is also breaking the cert_find tests with RSNv3 enabled at
times depending on the certificate order returned. Some of them
may be certificates issued by a now-deleted CA.
This was discovered in test_xmlrpc/test_cert.py with the
cert-find tests where the expected number of certificates wasn't
returned. This is because ra.find() retrieved exactly 10 certificates
and then some were removed when trying to identify the CA.
Related: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
ipaserver/plugins/cert.py | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 6249c6d6f24acdca4fc3e9dd989f58344192b567..b8012c62a7809a85faec9cbb710f187fa16d90f4 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1721,7 +1721,8 @@ class cert_find(Search, CertMethod):
try:
ca_obj = ca_objs[issuer]
except KeyError:
- continue
+ # A deleted LWCA? Return the issuer DN as a string
+ ca_obj = {'cn': [str(issuer)]}
if pkey_only:
obj = {'serial_number': serial_number}
@@ -1905,8 +1906,16 @@ class cert_find(Search, CertMethod):
try:
ca_obj = ca_objs[cacn]
except KeyError:
- ca_obj = ca_objs[cacn] = (
- self.api.Command.ca_show(cacn, all=True)['result'])
+ try:
+ ca_obj = ca_objs[cacn] = (
+ self.api.Command.ca_show(
+ cacn, all=True)['result'])
+ except errors.NotFound:
+ # If we have inserted a CA DN because the
+ # LWCA was deleted then ca-show of it will
+ # fail as NotFound. There is no chain to
+ # retrieve.
+ ca_obj = []
obj.update(
ra.get_certificate(serial_number)
--
2.47.0
Reference in New Issue View Git Blame Copy Permalink