pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0089-Fix-RA-cert-import-during-DL0-replication.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   848136e6b9ad9f432934a8fb29db0b86b253988c
  2.   SOURCES
  3.   0089-Fix-RA-cert-import-during-DL0-replication.patch
Blob History Raw
483b06 
From 899f9b980afba02cfdf80155905354a7371ad871 Mon Sep 17 00:00:00 2001
483b06 
From: Stanislav Laznicka <slaznick@redhat.com>
483b06 
Date: Wed, 19 Apr 2017 11:42:40 +0200
483b06 
Subject: [PATCH] Fix RA cert import during DL0 replication
483b06
483b06 
Previous versions of FreeIPA add password to the ra.p12 file
483b06 
contained in the password-protected tarball. This was forgotten
483b06 
about in the recent changes and fixed now.
483b06
483b06 
https://pagure.io/freeipa/issue/6878
483b06
483b06 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
483b06 
---
483b06 
 ipaserver/install/cainstance.py          | 43 +++++++++++++++++++-------------
483b06 
 ipaserver/install/ipa_replica_prepare.py | 17 +++++++------
483b06 
 2 files changed, 35 insertions(+), 25 deletions(-)
483b06
483b06 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
483b06 
index e2070e39f7e162fcff6e1f8cca41218e440b5f58..640d2884130dd152012e50dde45514f5ca26a523 100644
483b06 
--- a/ipaserver/install/cainstance.py
483b06 
+++ b/ipaserver/install/cainstance.py
483b06 
@@ -338,6 +338,7 @@ class CAInstance(DogtagInstance):
483b06 
             self.clone = True
483b06 
         self.master_host = master_host
483b06 
         self.master_replication_port = master_replication_port
483b06 
+        self.ra_p12 = ra_p12
483b06
483b06 
         self.subject_base = \
483b06 
             subject_base or installutils.default_subject_base(self.realm)
483b06 
@@ -400,7 +401,7 @@ class CAInstance(DogtagInstance):
483b06 
                     self.step("Importing RA key", self.__import_ra_key)
483b06 
                 else:
483b06 
                     self.step("importing RA certificate from PKCS #12 file",
483b06 
-                              lambda: self.import_ra_cert(ra_p12))
483b06 
+                              self.__import_ra_cert)
483b06
483b06 
             if not ra_only:
483b06 
                 self.step("setting up signing cert profile", self.__setup_sign_profile)
483b06 
@@ -673,28 +674,36 @@ class CAInstance(DogtagInstance):
483b06 
                                    'NSS_ENABLE_PKIX_VERIFY', '1',
483b06 
                                    quotes=False, separator='=')
483b06
483b06 
-    def import_ra_cert(self, rafile):
483b06 
+    def __import_ra_cert(self):
483b06 
+        """
483b06 
+        Helper method for IPA domain level 0 replica install
483b06 
+        """
483b06 
+        self.import_ra_cert(self.ra_p12, self.dm_password)
483b06 
+
483b06 
+    def import_ra_cert(self, rafile, password=''):
483b06 
         """
483b06 
         Cloned RAs will use the same RA agent cert as the master so we
483b06 
         need to import from a PKCS#12 file.
483b06
483b06 
         Used when setting up replication
483b06 
         """
483b06 
-        # get the private key from the file
483b06 
-        ipautil.run([paths.OPENSSL,
483b06 
-                     "pkcs12",
483b06 
-                     "-in", rafile,
483b06 
-                     "-nocerts", "-nodes",
483b06 
-                     "-out", paths.RA_AGENT_KEY,
483b06 
-                     "-passin", "pass:"])
483b06 
-
483b06 
-        # get the certificate from the pkcs12 file
483b06 
-        ipautil.run([paths.OPENSSL,
483b06 
-                     "pkcs12",
483b06 
-                     "-in", rafile,
483b06 
-                     "-clcerts", "-nokeys",
483b06 
-                     "-out", paths.RA_AGENT_PEM,
483b06 
-                     "-passin", "pass:"])
483b06 
+        with ipautil.write_tmp_file(password) as f:
483b06 
+            pwdarg = 'file:{file}'.format(file=f.name)
483b06 
+            # get the private key from the file
483b06 
+            ipautil.run([paths.OPENSSL,
483b06 
+                         "pkcs12",
483b06 
+                         "-in", rafile,
483b06 
+                         "-nocerts", "-nodes",
483b06 
+                         "-out", paths.RA_AGENT_KEY,
483b06 
+                         "-passin", pwdarg])
483b06 
+
483b06 
+            # get the certificate from the pkcs12 file
483b06 
+            ipautil.run([paths.OPENSSL,
483b06 
+                         "pkcs12",
483b06 
+                         "-in", rafile,
483b06 
+                         "-clcerts", "-nokeys",
483b06 
+                         "-out", paths.RA_AGENT_PEM,
483b06 
+                         "-passin", pwdarg])
483b06 
         self.__set_ra_cert_perms()
483b06
483b06 
         self.configure_agent_renewal()
483b06 
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
483b06 
index 95c3818a9fc34c937f8b418e91a1bfc28352b02e..d4456dd796167c3717be013d2378413519a3b366 100644
483b06 
--- a/ipaserver/install/ipa_replica_prepare.py
483b06 
+++ b/ipaserver/install/ipa_replica_prepare.py
483b06 
@@ -571,14 +571,15 @@ class ReplicaPrepare(admintool.AdminTool):
483b06 
     def export_ra_pkcs12(self):
483b06 
         if (os.path.exists(paths.RA_AGENT_PEM) and
483b06 
            os.path.exists(paths.RA_AGENT_KEY)):
483b06 
-            ipautil.run([
483b06 
-                paths.OPENSSL,
483b06 
-                "pkcs12", "-export",
483b06 
-                "-inkey", paths.RA_AGENT_KEY,
483b06 
-                "-in", paths.RA_AGENT_PEM,
483b06 
-                "-out", os.path.join(self.dir, "ra.p12"),
483b06 
-                "-passout", "pass:"
483b06 
-            ])
483b06 
+            with ipautil.write_tmp_file(self.dirman_password) as f:
483b06 
+                ipautil.run([
483b06 
+                    paths.OPENSSL,
483b06 
+                    "pkcs12", "-export",
483b06 
+                    "-inkey", paths.RA_AGENT_KEY,
483b06 
+                    "-in", paths.RA_AGENT_PEM,
483b06 
+                    "-out", os.path.join(self.dir, "ra.p12"),
483b06 
+                    "-passout", "file:{pwfile}".format(pwfile=f.name)
483b06 
+                ])
483b06
483b06 
     def update_pki_admin_password(self):
483b06 
         dn = DN('uid=admin', 'ou=people', 'o=ipaca')
483b06 
--
483b06 
2.12.2
483b06

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation