[Freeipa-devel] [freeipa PR#721][opened] Fix RA cert import during DL0 replication

Wed, 19 Apr 2017 03:29:38 -0700 

   URL: https://github.com/freeipa/freeipa/pull/721
Author: stlaz
 Title: #721: Fix RA cert import during DL0 replication
Action: opened

PR body:
"""
Previous versions of FreeIPA add password to the ra.p12 file
contained in the password-protected tarball. This was forgotten
about in the recent changes and fixed now.

https://pagure.io/freeipa/issue/6878
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/721/head:pr721
git checkout pr721

From 1c7109c885457b20d7e1104c1e327537e9965b6f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 19 Apr 2017 11:42:40 +0200
Subject: [PATCH] Fix RA cert import during DL0 replication

Previous versions of FreeIPA add password to the ra.p12 file
contained in the password-protected tarball. This was forgotten
about in the recent changes and fixed now.

https://pagure.io/freeipa/issue/6878
---
 ipaserver/install/cainstance.py | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1c8bb27..faffd2e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -400,7 +400,8 @@ def configure_instance(self, host_name, dm_password, admin_password,
                     self.step("Importing RA key", self.__import_ra_key)
                 else:
                     self.step("importing RA certificate from PKCS #12 file",
-                              lambda: self.import_ra_cert(ra_p12))
+                              lambda: self.import_ra_cert(ra_p12,
+                                                          self.dm_password))
 
             if not ra_only:
                 self.step("setting up signing cert profile", self.__setup_sign_profile)
@@ -676,20 +677,26 @@ def enable_pkix(self):
                                    'NSS_ENABLE_PKIX_VERIFY', '1',
                                    quotes=False, separator='=')
 
-    def import_ra_cert(self, rafile):
+    def import_ra_cert(self, rafile, password=None):
         """
         Cloned RAs will use the same RA agent cert as the master so we
         need to import from a PKCS#12 file.
 
         Used when setting up replication
         """
+        pwdarg = 'pass:'
+        if password is not None:
+            pwdfile_fd, pwdfile_name = tempfile.mkstemp()
+            os.write(pwdfile_fd, password)
+            os.close(pwdfile_fd)
+            pwdarg = 'file:{file}'.format(file=pwdfile_name)
         # get the private key from the file
         ipautil.run([paths.OPENSSL,
                      "pkcs12",
                      "-in", rafile,
                      "-nocerts", "-nodes",
                      "-out", paths.RA_AGENT_KEY,
-                     "-passin", "pass:"])
+                     "-passin", pwdarg])
 
         # get the certificate from the pkcs12 file
         ipautil.run([paths.OPENSSL,
@@ -697,7 +704,7 @@ def import_ra_cert(self, rafile):
                      "-in", rafile,
                      "-clcerts", "-nokeys",
                      "-out", paths.RA_AGENT_PEM,
-                     "-passin", "pass:"])
+                     "-passin", pwdarg])
         self.__set_ra_cert_perms()
 
         self.configure_agent_renewal()

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to