[Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize)
flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 From b4d5a74265377bf182f3cc1fec90669c93b47470 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 1 Sep 2016 13:56:24 +0200 Subject: [PATCH] Add cert checks in ipa-server-certinstall When ipa-server-certinstall is called to install a new server certificate, the prerequisite is that the certificate issuer must be already known by IPA. This fix adds new checks to make sure that the tool exits before modifying the target NSS database if it is not the case. The fix consists in creating a temp NSS database with the CA certs from the target NSS database + the new server cert and checking the new server cert validity. https://fedorahosted.org/freeipa/ticket/6263 --- ipaserver/install/ipa_server_certinstall.py | 40 +++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 0a8fb21..7bc39e3 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -25,8 +25,8 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths -from ipapython import admintool -from ipapython.certdb import get_ca_nickname +from ipapython import admintool, ipautil +from ipapython.certdb import get_ca_nickname, NSSDatabase from ipapython.dn import DN from ipalib import api, errors from ipalib.constants import CACERT @@ -157,6 +157,38 @@ def install_http_cert(self): os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) +def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb): +# create a temp nssdb +with NSSDatabase() as tempnssdb: +db_password = ipautil.ipa_generate_password() +db_pwdfile = ipautil.write_tmp_file(db_password) +tempnssdb.create_db(db_pwdfile.name) + +# import the PKCS12 file, then delete all CA certificates +# this leaves only the server certs in the temp db +tempnssdb.import_pkcs12( +pkcs12_filename, db_pwdfile.name, pkcs12_pin) +for nickname, flags in tempnssdb.list_certs(): +if 'u' not in flags: +while tempnssdb.has_nickname(nickname): +tempnssdb.delete_cert(nickname) + +# import all the CA certs from nssdb into the temp db +for nickname, flags in nssdb.list_certs(): +if 'u' not in flags: +cert = nssdb.get_cert_from_db(nickname) +tempnssdb.add_cert(cert, nickname, flags) + +# now get the server certs from tempnssdb and check their validity +try: +for nick, flags in tempnssdb.find_server_certs(): +tempnssdb.verify_server_cert_validity(nick, api.env.host) +except ValueError as e: +raise admintool.ScriptError( +"Peer's certificate issuer is not trusted (%s). " +"Please run ipa-cacert-manage install and ipa-certupdate " +"to install the CA certificate." % str(e)) + def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): pkcs12_file, pin, ca_cert = installutils.load_pkcs12( cert_files=self.args, @@ -167,6 +199,10 @@ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): dirname = os.path.normpath(dirname) cdb = certs.CertDB(api.env.realm, nssdir=dirname) + +# Check that the ca_cert is known and trusted +self.check_chain(pkcs12_file.name, pin, cdb) + try: ca_enabled = api.Command.ca_is_enabled()['result'] if ca_enabled: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize)
flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 From 835eb957473317be495753cd8988084cd6566caa Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 1 Sep 2016 13:56:24 +0200 Subject: [PATCH] Add cert checks in ipa-server-certinstall When ipa-server-certinstall is called to install a new server certificate, the prerequisite is that the certificate issuer must be already known by IPA. This fix adds new checks to make sure that the tool exits before modifying the target NSS database if it is not the case. The fix consists in creating a temp NSS database with the CA certs from the target NSS database + the new server cert and checking the new server cert validity. https://fedorahosted.org/freeipa/ticket/6263 --- ipaserver/install/ipa_server_certinstall.py | 40 +++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 0a8fb21..ecfeca1 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -25,8 +25,8 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths -from ipapython import admintool -from ipapython.certdb import get_ca_nickname +from ipapython import admintool, ipautil +from ipapython.certdb import get_ca_nickname, NSSDatabase from ipapython.dn import DN from ipalib import api, errors from ipalib.constants import CACERT @@ -157,6 +157,38 @@ def install_http_cert(self): os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) +def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb): +# create a temp nssdb +with NSSDatabase() as tempnssdb: +db_password = ipautil.ipa_generate_password() +db_pwdfile = ipautil.write_tmp_file(db_password) +tempnssdb.create_db(db_pwdfile.name) + +# import the PKCS12 file, then delete all CA certificates +# this leaves only the server certs in the temp db +tempnssdb.import_pkcs12( +pkcs12_filename, db_pwdfile.name, pkcs12_pin) +for nickname, flags in tempnssdb.list_certs(): +if 'u' not in flags: +while tempnssdb.has_nickname(nickname): +tempnssdb.delete_cert(nickname) + +# import all the CA certs from nssdb into the temp db +for nickname, flags in nssdb.list_certs(): +if 'u' not in flags: +cert = nssdb.get_cert_from_db(nickname) +tempnssdb.add_cert(cert, nickname, flags) + +# now get the server certs from tempnssdb and check their validity +try: +for nick, flags in tempnssdb.find_server_certs(): +tempnssdb.verify_server_cert_validity(nick, api.env.host) +except ValueError as e: +raise admintool.ScriptError( +"Error: %s\n" +"Please run ipa-cacert-manage install and ipa-certupdate " +"to install the CA certificate." % str(e)) + def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): pkcs12_file, pin, ca_cert = installutils.load_pkcs12( cert_files=self.args, @@ -167,6 +199,10 @@ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): dirname = os.path.normpath(dirname) cdb = certs.CertDB(api.env.realm, nssdir=dirname) + +# Check that the ca_cert is known and trusted +self.check_chain(pkcs12_file.name, pin, cdb) + try: ca_enabled = api.Command.ca_is_enabled()['result'] if ca_enabled: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize)
flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 From 64d335ee59209a7a396313df77c17fd26e14c599 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 1 Sep 2016 13:56:24 +0200 Subject: [PATCH] Add cert checks in ipa-server-certinstall When ipa-server-certinstall is called to install a new server certificate, the prerequisite is that the certificate issuer must be already known by IPA. This fix adds new checks to make sure that the tool exits before modifying the target NSS database if it is not the case. The fix consists in creating a temp NSS database with the CA certs from the target NSS database + the new server cert and checking the new server cert validity. https://fedorahosted.org/freeipa/ticket/6263 --- ipaserver/install/ipa_server_certinstall.py | 40 +++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 0a8fb21..2bd12f5 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -25,8 +25,8 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths -from ipapython import admintool -from ipapython.certdb import get_ca_nickname +from ipapython import admintool, ipautil +from ipapython.certdb import get_ca_nickname, NSSDatabase from ipapython.dn import DN from ipalib import api, errors from ipalib.constants import CACERT @@ -157,6 +157,38 @@ def install_http_cert(self): os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) +def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb): +# create a temp nssdb +with NSSDatabase() as tempnssdb: +db_password = ipautil.ipa_generate_password() +db_pwdfile = ipautil.write_tmp_file(db_password) +tempnssdb.create_db(db_pwdfile.name) + +# import the PKCS12 file, then delete all CA certificates +# this leaves only the server certs in the temp db +tempnssdb.import_pkcs12(pkcs12_filename, db_pwdfile.name, +pkcs12_pin) +for nickname, flags in tempnssdb.list_certs(): +if 'u' not in flags: +while tempnssdb.has_nickname(nickname): +tempnssdb.delete_cert(nickname) + +# import all the CA certs from nssdb into the temp db +for nickname, flags in nssdb.list_certs(): +if 'u' not in flags: +cert = nssdb.get_cert_from_db(nickname) +tempnssdb.add_cert(cert, nickname, flags) + +# now get the server certs from tempnssdb and check their validity +try: +for nick, flags in tempnssdb.find_server_certs(): +tempnssdb.verify_server_cert_validity(nick, api.env.host) +except ValueError as e: +raise admintool.ScriptError( +"Error: %s\n" +"Please run ipa-cacert-manage install and ipa-certupdate " +"to install the CA certificate." % str(e)) + def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): pkcs12_file, pin, ca_cert = installutils.load_pkcs12( cert_files=self.args, @@ -167,6 +199,10 @@ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): dirname = os.path.normpath(dirname) cdb = certs.CertDB(api.env.realm, nssdir=dirname) + +# Check that the ca_cert is known and trusted +self.check_chain(pkcs12_file.name, pin, cdb) + try: ca_enabled = api.Command.ca_is_enabled()['result'] if ca_enabled: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize)
flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 From 087c96fd57666aebe96863284ebfdb4861bf779a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 1 Sep 2016 13:56:24 +0200 Subject: [PATCH] Add cert checks in ipa-server-certinstall When ipa-server-certinstall is called to install a new server certificate, the prerequisite is that the certificate issuer must be already known by IPA. This fix adds new checks to make sure that the tool exits before modifying the target NSS database if it is not the case. The fix consists in creating a temp NSS database with the CA certs from the target NSS database + the new server cert and checking the new server cert validity. https://fedorahosted.org/freeipa/ticket/6263 --- ipaserver/install/ipa_server_certinstall.py | 43 +++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 0a8fb21..705d666 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -25,8 +25,8 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths -from ipapython import admintool -from ipapython.certdb import get_ca_nickname +from ipapython import admintool, ipautil +from ipapython.certdb import get_ca_nickname, NSSDatabase from ipapython.dn import DN from ipalib import api, errors from ipalib.constants import CACERT @@ -157,6 +157,41 @@ def install_http_cert(self): os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) +def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb): +# create a temp nssdb +with NSSDatabase() as tempnssdb: +db_password = ipautil.ipa_generate_password() +db_pwdfile = ipautil.write_tmp_file(db_password) +tempnssdb.create_db(db_pwdfile.name) + +# import the PKCS12 file, then delete all CA certificates +# this leaves only the server certs in the temp db +try: +tempnssdb.import_pkcs12(pkcs12_filename, db_pwdfile.name, +pkcs12_pin) +for nickname, flags in tempnssdb.list_certs(): +if 'u' not in flags: +tempnssdb.delete_cert(nickname) + +except RuntimeError as e: +raise admintool.ScriptError(str(e)) + +# import all the CA certs from nssdb into the temp db +for nickname, flags in nssdb.list_certs(): +if 'u' not in flags: +cert = nssdb.get_cert_from_db(nickname) +tempnssdb.add_cert(cert, nickname, flags) + +# now get the server certs from tempnssdb and check their validity +try: +for nick, flags in tempnssdb.find_server_certs(): +tempnssdb.verify_server_cert_validity(nick, api.env.host) +except ValueError as e: +raise admintool.ScriptError( +"Peer's certificate issuer is not trusted. " +"Please run ipa-cacert-manage install and ipa-certupdate " +"to install the CA certificate.") + def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): pkcs12_file, pin, ca_cert = installutils.load_pkcs12( cert_files=self.args, @@ -167,6 +202,10 @@ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): dirname = os.path.normpath(dirname) cdb = certs.CertDB(api.env.realm, nssdir=dirname) + +# Check that the ca_cert is known and trusted +self.check_chain(pkcs12_file.name, pin, cdb) + try: ca_enabled = api.Command.ca_is_enabled()['result'] if ca_enabled: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
