[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 From d76659f6bb4517755a092db66d1eccf0fff2a870 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 27 Apr 2017 09:33:25 +0200 Subject: [PATCH 01/14] certdb: add named trust flag constants Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. https://pagure.io/freeipa/issue/6831 --- install/restart_scripts/restart_httpd | 3 ++- install/tools/ipa-replica-conncheck| 4 +++- ipaclient/install/client.py| 9 ++--- ipapython/certdb.py| 9 +++-- ipaserver/install/ca.py| 2 +- ipaserver/install/certs.py | 5 +++-- ipaserver/install/dsinstance.py| 5 +++-- ipaserver/install/httpinstance.py | 5 +++-- ipaserver/install/ipa_cacert_manage.py | 16 +++- ipaserver/install/plugins/upload_cacrt.py | 2 +- ipaserver/install/server/replicainstall.py | 3 ++- ipaserver/install/server/upgrade.py| 4 ++-- 12 files changed, 44 insertions(+), 23 deletions(-) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index b661b82b89..cd7f12024e 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -24,6 +24,7 @@ import traceback from ipalib import api from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS from ipaserver.install import certs, installutils @@ -36,7 +37,7 @@ def _main(): nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") # Add trust flag which set certificate trusted for SSL connections. -db.trust_root_cert(nickname, "P,,") +db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS) syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdbd4f32d9..528242268f 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -549,7 +549,9 @@ def main(): data = ca_cert.public_bytes( serialization.Encoding.DER) nss_db.add_cert( -data, str(DN(ca_cert.subject)), 'C,,') +data, +str(DN(ca_cert.subject)), +certdb.EXTERNAL_CA_TRUST_FLAGS) api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abca692fd6..e78be904dd 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2318,8 +2318,9 @@ def update_ipa_nssdb(): if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): create_ipa_nssdb() -for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): +for nickname, trust_flags in ( +('IPA CA', certdb.IPA_CA_TRUST_FLAGS), +('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)): try: cert = sys_db.get_cert(nickname) except RuntimeError: @@ -2680,7 +2681,9 @@ def _install(options): tmp_db.create_db() for i, cert in enumerate(ca_certs): -tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') +tmp_db.add_cert(cert, +'CA certificate %d' % (i + 1), +certdb.EXTERNAL_CA_TRUST_FLAGS) except CalledProcessError: raise ScriptError( "Failed to add CA to temporary NSS database.", diff --git a/ipapython/certdb.py b/ipapython/certdb.py index b86a705592..c36c22d7f4 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -54,6 +54,11 @@ BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' +EMPTY_TRUST_FLAGS = ',,' +IPA_CA_TRUST_FLAGS = 'CT,C,C' +EXTERNAL_CA_TRUST_FLAGS = 'C,,' +TRUSTED_PEER_TRUST_FLAGS = 'P,,' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -438,7 +443,7 @@ def import_files(self, files, import_keys=False, key_password=None, cert = x509.load_certificate(cert_pem) nickname = str(DN(cert.subject)) data = cert.public_bytes(serialization.Encoding.DER) -self.add_cert(data, nickname, ',,') +self.add_cert(data, nickname, EMPTY_TRUST_FLAGS) if extracted_key: in_file = ipautil
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 27 Apr 2017 09:33:25 +0200 Subject: [PATCH 01/14] certdb: add named trust flag constants Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. https://pagure.io/freeipa/issue/6831 --- install/restart_scripts/restart_httpd | 3 ++- install/tools/ipa-replica-conncheck| 4 +++- ipaclient/install/client.py| 9 ++--- ipapython/certdb.py| 9 +++-- ipaserver/install/ca.py| 2 +- ipaserver/install/certs.py | 5 +++-- ipaserver/install/dsinstance.py| 5 +++-- ipaserver/install/httpinstance.py | 5 +++-- ipaserver/install/ipa_cacert_manage.py | 16 +++- ipaserver/install/plugins/upload_cacrt.py | 2 +- ipaserver/install/server/replicainstall.py | 3 ++- ipaserver/install/server/upgrade.py| 4 ++-- 12 files changed, 44 insertions(+), 23 deletions(-) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index b661b82..cd7f120 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -24,6 +24,7 @@ import traceback from ipalib import api from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS from ipaserver.install import certs, installutils @@ -36,7 +37,7 @@ def _main(): nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") # Add trust flag which set certificate trusted for SSL connections. -db.trust_root_cert(nickname, "P,,") +db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS) syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdbd4f3..5282422 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -549,7 +549,9 @@ def main(): data = ca_cert.public_bytes( serialization.Encoding.DER) nss_db.add_cert( -data, str(DN(ca_cert.subject)), 'C,,') +data, +str(DN(ca_cert.subject)), +certdb.EXTERNAL_CA_TRUST_FLAGS) api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abca692..e78be90 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2318,8 +2318,9 @@ def update_ipa_nssdb(): if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): create_ipa_nssdb() -for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): +for nickname, trust_flags in ( +('IPA CA', certdb.IPA_CA_TRUST_FLAGS), +('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)): try: cert = sys_db.get_cert(nickname) except RuntimeError: @@ -2680,7 +2681,9 @@ def _install(options): tmp_db.create_db() for i, cert in enumerate(ca_certs): -tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') +tmp_db.add_cert(cert, +'CA certificate %d' % (i + 1), +certdb.EXTERNAL_CA_TRUST_FLAGS) except CalledProcessError: raise ScriptError( "Failed to add CA to temporary NSS database.", diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..38f3bf0 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,11 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +EMPTY_TRUST_FLAGS = ',,' +IPA_CA_TRUST_FLAGS = 'CT,C,C' +EXTERNAL_CA_TRUST_FLAGS = 'C,,' +TRUSTED_PEER_TRUST_FLAGS = 'P,,' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None, cert = x509.load_certificate(cert_pem) nickname = str(DN(cert.subject)) data = cert.public_bytes(serialization.Encoding.DER) -self.add_cert(data, nickname, ',,') +self.add_cert(data, nickname, EMPTY_TRUST_FLAGS) if extracted_key: in_file = ipautil.write_tmp_file( @@ -468,7 +473,7 @@
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 27 Apr 2017 09:33:25 +0200 Subject: [PATCH 01/13] certdb: add named trust flag constants Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. https://pagure.io/freeipa/issue/6831 --- install/restart_scripts/restart_httpd | 3 ++- install/tools/ipa-replica-conncheck| 4 +++- ipaclient/install/client.py| 9 ++--- ipapython/certdb.py| 9 +++-- ipaserver/install/ca.py| 2 +- ipaserver/install/certs.py | 5 +++-- ipaserver/install/dsinstance.py| 5 +++-- ipaserver/install/httpinstance.py | 5 +++-- ipaserver/install/ipa_cacert_manage.py | 16 +++- ipaserver/install/plugins/upload_cacrt.py | 2 +- ipaserver/install/server/replicainstall.py | 3 ++- ipaserver/install/server/upgrade.py| 4 ++-- 12 files changed, 44 insertions(+), 23 deletions(-) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index b661b82..cd7f120 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -24,6 +24,7 @@ import traceback from ipalib import api from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS from ipaserver.install import certs, installutils @@ -36,7 +37,7 @@ def _main(): nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") # Add trust flag which set certificate trusted for SSL connections. -db.trust_root_cert(nickname, "P,,") +db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS) syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdbd4f3..5282422 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -549,7 +549,9 @@ def main(): data = ca_cert.public_bytes( serialization.Encoding.DER) nss_db.add_cert( -data, str(DN(ca_cert.subject)), 'C,,') +data, +str(DN(ca_cert.subject)), +certdb.EXTERNAL_CA_TRUST_FLAGS) api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abca692..e78be90 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2318,8 +2318,9 @@ def update_ipa_nssdb(): if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): create_ipa_nssdb() -for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): +for nickname, trust_flags in ( +('IPA CA', certdb.IPA_CA_TRUST_FLAGS), +('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)): try: cert = sys_db.get_cert(nickname) except RuntimeError: @@ -2680,7 +2681,9 @@ def _install(options): tmp_db.create_db() for i, cert in enumerate(ca_certs): -tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') +tmp_db.add_cert(cert, +'CA certificate %d' % (i + 1), +certdb.EXTERNAL_CA_TRUST_FLAGS) except CalledProcessError: raise ScriptError( "Failed to add CA to temporary NSS database.", diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..38f3bf0 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,11 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +EMPTY_TRUST_FLAGS = ',,' +IPA_CA_TRUST_FLAGS = 'CT,C,C' +EXTERNAL_CA_TRUST_FLAGS = 'C,,' +TRUSTED_PEER_TRUST_FLAGS = 'P,,' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None, cert = x509.load_certificate(cert_pem) nickname = str(DN(cert.subject)) data = cert.public_bytes(serialization.Encoding.DER) -self.add_cert(data, nickname, ',,') +self.add_cert(data, nickname, EMPTY_TRUST_FLAGS) if extracted_key: in_file = ipautil.write_tmp_file( @@ -468,7 +473,7 @@
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 27 Apr 2017 09:33:25 +0200 Subject: [PATCH 01/13] certdb: add named trust flag constants Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. https://pagure.io/freeipa/issue/6831 --- install/restart_scripts/restart_httpd | 3 ++- install/tools/ipa-replica-conncheck| 4 +++- ipaclient/install/client.py| 9 ++--- ipapython/certdb.py| 9 +++-- ipaserver/install/ca.py| 2 +- ipaserver/install/certs.py | 5 +++-- ipaserver/install/dsinstance.py| 5 +++-- ipaserver/install/httpinstance.py | 5 +++-- ipaserver/install/ipa_cacert_manage.py | 16 +++- ipaserver/install/plugins/upload_cacrt.py | 2 +- ipaserver/install/server/replicainstall.py | 3 ++- ipaserver/install/server/upgrade.py| 4 ++-- 12 files changed, 44 insertions(+), 23 deletions(-) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index b661b82..cd7f120 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -24,6 +24,7 @@ import traceback from ipalib import api from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS from ipaserver.install import certs, installutils @@ -36,7 +37,7 @@ def _main(): nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") # Add trust flag which set certificate trusted for SSL connections. -db.trust_root_cert(nickname, "P,,") +db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS) syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdbd4f3..5282422 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -549,7 +549,9 @@ def main(): data = ca_cert.public_bytes( serialization.Encoding.DER) nss_db.add_cert( -data, str(DN(ca_cert.subject)), 'C,,') +data, +str(DN(ca_cert.subject)), +certdb.EXTERNAL_CA_TRUST_FLAGS) api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abca692..e78be90 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2318,8 +2318,9 @@ def update_ipa_nssdb(): if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): create_ipa_nssdb() -for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): +for nickname, trust_flags in ( +('IPA CA', certdb.IPA_CA_TRUST_FLAGS), +('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)): try: cert = sys_db.get_cert(nickname) except RuntimeError: @@ -2680,7 +2681,9 @@ def _install(options): tmp_db.create_db() for i, cert in enumerate(ca_certs): -tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') +tmp_db.add_cert(cert, +'CA certificate %d' % (i + 1), +certdb.EXTERNAL_CA_TRUST_FLAGS) except CalledProcessError: raise ScriptError( "Failed to add CA to temporary NSS database.", diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..38f3bf0 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,11 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +EMPTY_TRUST_FLAGS = ',,' +IPA_CA_TRUST_FLAGS = 'CT,C,C' +EXTERNAL_CA_TRUST_FLAGS = 'C,,' +TRUSTED_PEER_TRUST_FLAGS = 'P,,' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None, cert = x509.load_certificate(cert_pem) nickname = str(DN(cert.subject)) data = cert.public_bytes(serialization.Encoding.DER) -self.add_cert(data, nickname, ',,') +self.add_cert(data, nickname, EMPTY_TRUST_FLAGS) if extracted_key: in_file = ipautil.write_tmp_file( @@ -468,7 +473,7 @@