Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't write p11-kit EKU extension object if no EKU #1090

Closed
wants to merge 1 commit into from
Closed

Don't write p11-kit EKU extension object if no EKU #1090

wants to merge 1 commit into from

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Sep 18, 2017
edited

b5732ef introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.

https://pagure.io/freeipa/issue/7119

@stlaz
Don't write p11-kit EKU extension object if no EKU
d1709b2 
b5732ef introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.

https://pagure.io/freeipa/issue/7119
frasertweedale
frasertweedale approved these changes Sep 19, 2017
View reviewed changes
Copy link
Contributor

@frasertweedale frasertweedale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested, works.

@frasertweedale frasertweedale added the ack Pull Request approved, can be merged label Sep 19, 2017
@stlaz
Copy link
Contributor Author

stlaz commented Sep 19, 2017

master:

  • e537686 Don't write p11-kit EKU extension object if no EKU

@stlaz stlaz added the pushed Pull Request has already been pushed label Sep 19, 2017
@stlaz stlaz closed this Sep 19, 2017
@stlaz stlaz mentioned this pull request Sep 19, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frasertweedale frasertweedale frasertweedale approved these changes

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@stlaz @frasertweedale