Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.5] Fix CA/server cert validation in FIPS #733

Closed
wants to merge 1 commit into from
Closed

[4.5] Fix CA/server cert validation in FIPS #733

wants to merge 1 commit into from

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Apr 26, 2017
edited by MartinBasti

In FIPS, the NSS library needs to be passed passwords to perform
certificate validation. Should we not have passed it and the NSS
guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE
which is completely different error than one would expect but
that's just how things are with NSS right now.

https://pagure.io/freeipa/issue/6897

Akasurde
Akasurde approved these changes Apr 26, 2017
View reviewed changes
ipapython/certdb.py
@@ -77,6 +77,12 @@ def find_cert_from_txt(cert, start=0):
return (cert, e)


def get_file_cont(slot, token, filename):
with open(filename) as f:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Akasurde Akasurde added the ack Pull Request approved, can be merged label Apr 27, 2017
tiran
tiran reviewed Apr 27, 2017
View reviewed changes
ipapython/certdb.py Outdated
@@ -77,6 +77,12 @@ def find_cert_from_txt(cert, start=0):
return (cert, e)


def get_file_cont(slot, token, filename):
with open(filename) as f:
cont = f.read()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return f.read()

@stlaz
Copy link
Contributor Author

stlaz commented Apr 27, 2017

Made a quickfix according to @tiran, the ACK can stay. Thanks, I was being paranoid.

@stlaz
Fix CA/server cert validation in FIPS
906c201 
In FIPS, the NSS library needs to be passed passwords to perform
certificate validation. Should we not have passed it and the NSS
guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE
which is completely different error than one would expect but
that's just how things are with NSS right now.

https://pagure.io/freeipa/issue/6897
@MartinBasti
Copy link
Contributor

ipa-4-5:

  • 651d132 Fix CA/server cert validation in FIPS

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Apr 28, 2017
@stlaz stlaz deleted the 4-5-external_fips branch July 7, 2017 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran tiran left review comments

@Akasurde Akasurde Akasurde approved these changes

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
4 participants
@stlaz @MartinBasti @tiran @Akasurde