On 26.3.2012 22:17, Rob Crittenden wrote:
Jan Cholasta wrote:
On 26.3.2012 16:15, Rob Crittenden wrote:
Jan Cholasta wrote:
https://fedorahosted.org/freeipa/ticket/2521
Honza
You can still set a custom subject base for selfsign installations so
you need a special case in valid_issuer().
For selfsign installations, the issuer is always "CN=REALM Certificate
Authority", no matter what is set in the subject base, so no special
case is needed.
I wonder if this comparison
should be case insensitive too.
I think the DN class already takes care of this.
It may also be an optimization to cache the base in subject_base(). It
can't change after install time so it should be valid the entire
lifetime of the server.
What if someone does
$ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
Ok, you're right about the issuer and DN case insensitivity, so we're
good there. I think that caching is still a good idea.
We'll handle the immutable subjectbase as a separate problem. This is
really pretty minor and isn't a show stopper, you just have to revert it
and things work again.
rob
Updated patch attached. Added caching and fixed one more occurence of
O=REALM, in make-testcert.
Honza
--
Jan Cholasta
>From 2a8dcd412e28b38e32be547bd0a5d99d588a8a87 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 26 Mar 2012 07:11:41 -0400
Subject: [PATCH] Fix uses of O=REALM instead of the configured certificate
subject base.
ticket 2521
---
ipalib/x509.py | 22 ++++++++++++++++++----
make-testcert | 5 ++++-
tests/test_xmlrpc/test_cert.py | 4 +++-
tests/test_xmlrpc/test_host_plugin.py | 8 ++++----
tests/test_xmlrpc/test_service_plugin.py | 4 ++--
tests/test_xmlrpc/xmlrpc_test.py | 2 +-
6 files changed, 32 insertions(+), 13 deletions(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 04e1b94..1274673 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -42,15 +42,29 @@ from ipalib import api
from ipalib import _
from ipalib import util
from ipalib import errors
+from ipalib.dn import DN
PEM = 0
DER = 1
PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL)
-def valid_issuer(issuer, realm):
- return issuer in ('CN=%s Certificate Authority' % realm,
- 'CN=Certificate Authority,O=%s' % realm,)
+_subject_base = None
+
+def subject_base():
+ global _subject_base
+
+ if _subject_base is None:
+ config = api.Command['config_show']()['result']
+ _subject_base = DN(config['ipacertificatesubjectbase'][0])
+
+ return _subject_base
+
+def valid_issuer(issuer):
+ if api.env.ra_plugin == 'dogtag':
+ return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base())
+ else:
+ return DN(issuer) == DN(('CN', '%s Certificate Authority' % api.env.realm))
def strip_header(pem):
"""
@@ -209,7 +223,7 @@ def verify_cert_subject(ldap, hostname, dercert):
issuer = str(nsscert.issuer)
# Handle both supported forms of issuer, from selfsign and dogtag.
- if (not valid_issuer(issuer, api.env.realm)):
+ if (not valid_issuer(issuer)):
raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
{'issuer' : issuer})
diff --git a/make-testcert b/make-testcert
index 8a90de1..f5a2fa7 100755
--- a/make-testcert
+++ b/make-testcert
@@ -97,8 +97,11 @@ def makecert(reqdir):
# Generate NSS cert database to store the private key for our CSR
run_certutil(reqdir, ["-N", "-f", pwname])
+ res = api.Backend.client.run('config_show')
+ subject_base = res['result']['ipacertificatesubjectbase'][0]
+
cert = None
- subject = 'CN=%s,O=%s' % (api.env.host, api.env.realm)
+ subject = 'CN=%s,%s' % (api.env.host, subject_base)
princ = 'unittest/%s@%s' % (api.env.host, api.env.realm)
csr = unicode(generateCSR(reqdir, pwname, subject))
diff --git a/tests/test_xmlrpc/test_cert.py b/tests/test_xmlrpc/test_cert.py
index 253373a..90809ab 100644
--- a/tests/test_xmlrpc/test_cert.py
+++ b/tests/test_xmlrpc/test_cert.py
@@ -28,6 +28,7 @@ from nose.tools import assert_raises # pylint: disable=E0611
from xmlrpc_test import XMLRPC_test, assert_attr_equal
from ipalib import api
from ipalib import errors
+from ipalib import x509
import tempfile
from ipapython import ipautil
import nose
@@ -74,6 +75,8 @@ class test_cert(XMLRPC_test):
# Create our temporary NSS database
self.run_certutil(["-N", "-f", self.pwname])
+ self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
+
def tearDown(self):
super(test_cert, self).tearDown()
shutil.rmtree(self.reqdir, ignore_errors=True)
@@ -95,7 +98,6 @@ class test_cert(XMLRPC_test):
"""
host_fqdn = u'ipatestcert.%s' % api.env.domain
service_princ = u'test/%s@%s' % (host_fqdn, api.env.realm)
- subject = DN(('CN',host_fqdn),('O',api.env.realm))
def test_1_cert_add(self):
"""
diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py
index 2ef99c4..4ed4c17 100644
--- a/tests/test_xmlrpc/test_host_plugin.py
+++ b/tests/test_xmlrpc/test_host_plugin.py
@@ -252,7 +252,7 @@ class test_host(Declarative):
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \
- DN(('CN',api.env.host),('O',api.env.realm)),
+ DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
@@ -284,7 +284,7 @@ class test_host(Declarative):
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \
- DN(('CN',api.env.host),('O',api.env.realm)),
+ DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
@@ -483,7 +483,7 @@ class test_host(Declarative):
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \
- DN(('CN',api.env.host),('O',api.env.realm)),
+ DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
@@ -513,7 +513,7 @@ class test_host(Declarative):
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \
- DN(('CN',api.env.host),('O',api.env.realm)),
+ DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py
index 2e51b2c..1c3a83a 100644
--- a/tests/test_xmlrpc/test_service_plugin.py
+++ b/tests/test_xmlrpc/test_service_plugin.py
@@ -379,7 +379,7 @@ class test_service(Declarative):
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \
- DN(('CN',api.env.host),('O',api.env.realm)),
+ DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
@@ -407,7 +407,7 @@ class test_service(Declarative):
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \
- DN(('CN',api.env.host),('O',api.env.realm)),
+ DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py
index 716ce03..a7cfb11 100644
--- a/tests/test_xmlrpc/xmlrpc_test.py
+++ b/tests/test_xmlrpc/xmlrpc_test.py
@@ -51,7 +51,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=basestring)
# Matches a date, like Tue Apr 26 17:45:35 2016 UTC
fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
-fuzzy_issuer = Fuzzy(type=basestring, test=lambda issuer: valid_issuer(issuer, api.env.realm))
+fuzzy_issuer = Fuzzy(type=basestring, test=lambda issuer: valid_issuer(issuer))
fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=basestring)
--
1.7.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
