[Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer
Rob Crittenden
rcritten at redhat.com
Mon Jun 6 19:25:44 UTC 2011
Jan Cholasta wrote:
> On 26.4.2011 22:52, Rob Crittenden wrote:
>> The goal is to not import foreign certificates.
>>
>> This caused a bunch of tests to fail because we had a hardcoded server
>> certificate. Instead a developer will need to run make-testcert to
>> create a server certificate generated by the local CA to test against.
>>
>> ticket 1134
>>
>> rob
>>
>
> NACK
>
> The certificate isn't verified in host-add.
>
> I suspect that certificates signed by an intermediate CA (i.e. when the
> certificate chain length > 2) are considered invalid. Is that the
> desired behavior?
That will work as long as the issuer is the IPA CA. I see that if we are
given a service cert issued by another CA in the chain things could go
badly. I'm not sure this is something to really worry about though.
>
> make-testcert fails with:
>
> Traceback (most recent call last):
> File "./make-testcert", line 126, in <module>
> sys.exit(makecert(reqdir))
> File "./make-testcert", line 105, in makecert
> add=True)
> File "./make-testcert", line 66, in run
> result = self.execute(method, *args, **options)
> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute
> raise error #pylint: disable=E0702
> ipalib.errors.CommandError: unknown command 'cert_request'
>
> This is probably an error on my part (tried running in on both my
> machine without IPA installed and on VM with IPA installed with no
> luck), but nonetheless it should be fixed to fail gracefully so that the
> tests in "make test" have a chance to run. Similarly, the tests which
> use the test certificate created by make-testcert should be skipped if
> the certificate isn't available.
You need to take the certificate databases from a self-signed install
and copy them to ~/.ipa/alias/ in order to do certificate testing. There
is documentation on how to do this in tests/test_xmlrpc/test_cert.py
I think this should be mandatory as certificates are a main feature of v2.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-779-2-cert.patch
Type: text/x-diff
Size: 19793 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110606/ad27f549/attachment.bin>
More information about the Freeipa-devel
mailing list