[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
From d76659f6bb4517755a092db66d1eccf0fff2a870 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH 01/14] certdb: add named trust flag constants
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
---
install/restart_scripts/restart_httpd | 3 ++-
install/tools/ipa-replica-conncheck| 4 +++-
ipaclient/install/client.py| 9 ++---
ipapython/certdb.py| 9 +++--
ipaserver/install/ca.py| 2 +-
ipaserver/install/certs.py | 5 +++--
ipaserver/install/dsinstance.py| 5 +++--
ipaserver/install/httpinstance.py | 5 +++--
ipaserver/install/ipa_cacert_manage.py | 16 +++-
ipaserver/install/plugins/upload_cacrt.py | 2 +-
ipaserver/install/server/replicainstall.py | 3 ++-
ipaserver/install/server/upgrade.py| 4 ++--
12 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82b89..cd7f12024e 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
-db.trust_root_cert(nickname, "P,,")
+db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f32d9..528242268f 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
-data, str(DN(ca_cert.subject)), 'C,,')
+data,
+str(DN(ca_cert.subject)),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692fd6..e78be904dd 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
-for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
- ('External CA cert', 'C,,')):
+for nickname, trust_flags in (
+('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
-tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+tmp_db.add_cert(cert,
+'CA certificate %d' % (i + 1),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index b86a705592..c36c22d7f4 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -54,6 +54,11 @@
BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@@ -438,7 +443,7 @@ def import_files(self, files, import_keys=False, key_password=None,
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
-self.add_cert(data, nickname, ',,')
+self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
if extracted_key:
in_file = ipautil
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH 01/14] certdb: add named trust flag constants
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
---
install/restart_scripts/restart_httpd | 3 ++-
install/tools/ipa-replica-conncheck| 4 +++-
ipaclient/install/client.py| 9 ++---
ipapython/certdb.py| 9 +++--
ipaserver/install/ca.py| 2 +-
ipaserver/install/certs.py | 5 +++--
ipaserver/install/dsinstance.py| 5 +++--
ipaserver/install/httpinstance.py | 5 +++--
ipaserver/install/ipa_cacert_manage.py | 16 +++-
ipaserver/install/plugins/upload_cacrt.py | 2 +-
ipaserver/install/server/replicainstall.py | 3 ++-
ipaserver/install/server/upgrade.py| 4 ++--
12 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82..cd7f120 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
-db.trust_root_cert(nickname, "P,,")
+db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f3..5282422 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
-data, str(DN(ca_cert.subject)), 'C,,')
+data,
+str(DN(ca_cert.subject)),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692..e78be90 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
-for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
- ('External CA cert', 'C,,')):
+for nickname, trust_flags in (
+('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
-tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+tmp_db.add_cert(cert,
+'CA certificate %d' % (i + 1),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..38f3bf0 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,11 @@
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None,
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
-self.add_cert(data, nickname, ',,')
+self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
if extracted_key:
in_file = ipautil.write_tmp_file(
@@ -468,7 +473,7 @@
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH 01/13] certdb: add named trust flag constants
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
---
install/restart_scripts/restart_httpd | 3 ++-
install/tools/ipa-replica-conncheck| 4 +++-
ipaclient/install/client.py| 9 ++---
ipapython/certdb.py| 9 +++--
ipaserver/install/ca.py| 2 +-
ipaserver/install/certs.py | 5 +++--
ipaserver/install/dsinstance.py| 5 +++--
ipaserver/install/httpinstance.py | 5 +++--
ipaserver/install/ipa_cacert_manage.py | 16 +++-
ipaserver/install/plugins/upload_cacrt.py | 2 +-
ipaserver/install/server/replicainstall.py | 3 ++-
ipaserver/install/server/upgrade.py| 4 ++--
12 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82..cd7f120 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
-db.trust_root_cert(nickname, "P,,")
+db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f3..5282422 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
-data, str(DN(ca_cert.subject)), 'C,,')
+data,
+str(DN(ca_cert.subject)),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692..e78be90 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
-for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
- ('External CA cert', 'C,,')):
+for nickname, trust_flags in (
+('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
-tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+tmp_db.add_cert(cert,
+'CA certificate %d' % (i + 1),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..38f3bf0 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,11 @@
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None,
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
-self.add_cert(data, nickname, ',,')
+self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
if extracted_key:
in_file = ipautil.write_tmp_file(
@@ -468,7 +473,7 @@
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
From 94035206637152fce07a491d645c796121e6b984 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH 01/13] certdb: add named trust flag constants
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
---
install/restart_scripts/restart_httpd | 3 ++-
install/tools/ipa-replica-conncheck| 4 +++-
ipaclient/install/client.py| 9 ++---
ipapython/certdb.py| 9 +++--
ipaserver/install/ca.py| 2 +-
ipaserver/install/certs.py | 5 +++--
ipaserver/install/dsinstance.py| 5 +++--
ipaserver/install/httpinstance.py | 5 +++--
ipaserver/install/ipa_cacert_manage.py | 16 +++-
ipaserver/install/plugins/upload_cacrt.py | 2 +-
ipaserver/install/server/replicainstall.py | 3 ++-
ipaserver/install/server/upgrade.py| 4 ++--
12 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82..cd7f120 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
-db.trust_root_cert(nickname, "P,,")
+db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f3..5282422 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
-data, str(DN(ca_cert.subject)), 'C,,')
+data,
+str(DN(ca_cert.subject)),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692..e78be90 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
-for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
- ('External CA cert', 'C,,')):
+for nickname, trust_flags in (
+('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
-tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+tmp_db.add_cert(cert,
+'CA certificate %d' % (i + 1),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..38f3bf0 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,11 @@
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None,
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
-self.add_cert(data, nickname, ',,')
+self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
if extracted_key:
in_file = ipautil.write_tmp_file(
@@ -468,7 +473,7 @@
