URL: https://github.com/freeipa/freeipa/pull/450 Author: stlaz Title: #450: Add FIPS-token password of HTTPD NSS database Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/450/head:pr450 git checkout pr450
From 984d80eff07b1ae30625607244d7326c7da6d4d8 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 9 Jan 2017 08:45:33 +0100 Subject: [PATCH] Add FIPS-token password of HTTPD NSS database This change is required for httpd to function properly in FIPS https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 80918d4..9170e35 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -501,13 +501,19 @@ def create_password_conf(self): This is the format of mod_nss pin files. """ ipautil.backup_file(self.pwd_conf) - f = open(self.pwd_conf, "w") - f.write("internal:") - pwdfile = open(self.passwd_fname) - f.write(pwdfile.read()) - f.close() - pwdfile.close() - self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER) + + with open(self.passwd_fname) as pwdfile: + password = pwdfile.read() + + with open(self.pwd_conf, "w") as f: + f.write("internal:") + f.write(password) + f.write("\nNSS FIPS 140-2 Certificate DB:") + f.write(password) + # make sure other processes can access the file contents ASAP + f.flush() + if os.path.exists(self.pwd_conf): + self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER) def find_root_cert(self, nickname): """
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
