pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0145-certdb-use-custom-object-for-trust-flags.patch

ac7d03
From e8805e118446a1ad542d183e2f6bea0f87651795 Mon Sep 17 00:00:00 2001
ac7d03
From: Jan Cholasta <jcholast@redhat.com>
ac7d03
Date: Thu, 27 Apr 2017 09:37:38 +0200
ac7d03
Subject: [PATCH] certdb: use custom object for trust flags
ac7d03
ac7d03
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
ac7d03
class encapsulates `certstore` key policy and has an additional flag
ac7d03
indicating the presence of a private key.
ac7d03
ac7d03
https://pagure.io/freeipa/issue/6831
ac7d03
ac7d03
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ac7d03
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ac7d03
---
ac7d03
 install/restart_scripts/renew_ca_cert       |   2 +-
ac7d03
 ipalib/install/certstore.py                 |  49 +------------
ac7d03
 ipapython/certdb.py                         | 109 ++++++++++++++++++++++++++--
ac7d03
 ipaserver/install/installutils.py           |   2 +-
ac7d03
 ipaserver/install/ipa_cacert_manage.py      |   6 +-
ac7d03
 ipaserver/install/ipa_server_certinstall.py |   4 +-
ac7d03
 ipaserver/install/plugins/upload_cacrt.py   |   2 +-
ac7d03
 ipaserver/install/server/upgrade.py         |   2 +-
ac7d03
 8 files changed, 117 insertions(+), 59 deletions(-)
ac7d03
ac7d03
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
ac7d03
index 7a54b4c7e05a35b40b17e46b75ff8d47db1b2d23..bb31defc0e2bdca044e68ae067f42fb3bd41a57f 100644
ac7d03
--- a/install/restart_scripts/renew_ca_cert
ac7d03
+++ b/install/restart_scripts/renew_ca_cert
ac7d03
@@ -125,7 +125,7 @@ def _main():
ac7d03
 
ac7d03
             # Remove old external CA certificates
ac7d03
             for ca_nick, ca_flags in db.list_certs():
ac7d03
-                if 'u' in ca_flags:
ac7d03
+                if ca_flags.has_key:
ac7d03
                     continue
ac7d03
                 # Delete *all* certificates that use the nickname
ac7d03
                 while True:
ac7d03
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
ac7d03
index 310e08ed2273badba6fde4ada0ee52501fddc72c..bc2079fb12873444cbe6796eebfdfcfebd0e284d 100644
ac7d03
--- a/ipalib/install/certstore.py
ac7d03
+++ b/ipalib/install/certstore.py
ac7d03
@@ -25,7 +25,7 @@ LDAP shared certificate store.
ac7d03
 from pyasn1.error import PyAsn1Error
ac7d03
 
ac7d03
 from ipapython.dn import DN
ac7d03
-from ipapython.certdb import get_ca_nickname
ac7d03
+from ipapython.certdb import get_ca_nickname, TrustFlags
ac7d03
 from ipalib import errors, x509
ac7d03
 
ac7d03
 def _parse_cert(dercert):
ac7d03
@@ -344,57 +344,14 @@ def trust_flags_to_key_policy(trust_flags):
ac7d03
     """
ac7d03
     Convert certutil trust flags to certificate store key policy.
ac7d03
     """
ac7d03
-    if 'p' in trust_flags:
ac7d03
-        if 'C' in trust_flags or 'P' in trust_flags or 'T' in trust_flags:
ac7d03
-            raise ValueError("cannot be both trusted and not trusted")
ac7d03
-        return False, None, None
ac7d03
-    elif 'C' in trust_flags or 'T' in trust_flags:
ac7d03
-        if 'P' in trust_flags:
ac7d03
-            raise ValueError("cannot be both CA and not CA")
ac7d03
-        ca = True
ac7d03
-    elif 'P' in trust_flags:
ac7d03
-        ca = False
ac7d03
-    else:
ac7d03
-        return None, None, set()
ac7d03
-
ac7d03
-    trust_flags = trust_flags.split(',')
ac7d03
-    ext_key_usage = set()
ac7d03
-    for i, kp in enumerate((x509.EKU_SERVER_AUTH,
ac7d03
-                            x509.EKU_EMAIL_PROTECTION,
ac7d03
-                            x509.EKU_CODE_SIGNING)):
ac7d03
-        if 'C' in trust_flags[i] or 'P' in trust_flags[i]:
ac7d03
-            ext_key_usage.add(kp)
ac7d03
-    if 'T' in trust_flags[0]:
ac7d03
-        ext_key_usage.add(x509.EKU_CLIENT_AUTH)
ac7d03
-
ac7d03
-    return True, ca, ext_key_usage
ac7d03
+    return trust_flags[1:]
ac7d03
 
ac7d03
 
ac7d03
 def key_policy_to_trust_flags(trusted, ca, ext_key_usage):
ac7d03
     """
ac7d03
     Convert certificate store key policy to certutil trust flags.
ac7d03
     """
ac7d03
-    if trusted is False:
ac7d03
-        return 'p,p,p'
ac7d03
-    elif trusted is None or ca is None:
ac7d03
-        return ',,'
ac7d03
-    elif ext_key_usage is None:
ac7d03
-        if ca:
ac7d03
-            return 'CT,C,C'
ac7d03
-        else:
ac7d03
-            return 'P,P,P'
ac7d03
-
ac7d03
-    trust_flags = ['', '', '']
ac7d03
-    for i, kp in enumerate((x509.EKU_SERVER_AUTH,
ac7d03
-                            x509.EKU_EMAIL_PROTECTION,
ac7d03
-                            x509.EKU_CODE_SIGNING)):
ac7d03
-        if kp in ext_key_usage:
ac7d03
-            trust_flags[i] += ('C' if ca else 'P')
ac7d03
-    if ca and x509.EKU_CLIENT_AUTH in ext_key_usage:
ac7d03
-        trust_flags[0] += 'T'
ac7d03
-
ac7d03
-    trust_flags = ','.join(trust_flags)
ac7d03
-    return trust_flags
ac7d03
+    return TrustFlags(False, trusted, ca, ext_key_usage)
ac7d03
 
ac7d03
 
ac7d03
 def put_ca_cert_nss(ldap, base_dn, dercert, nickname, trust_flags,
ac7d03
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
ac7d03
index 88dcae750de5881ae7b4921ca1ae23daa9c5d4b0..af95eba3cbad1c354615457ed0501f97bff0e22d 100644
ac7d03
--- a/ipapython/certdb.py
ac7d03
+++ b/ipapython/certdb.py
ac7d03
@@ -17,6 +17,7 @@
ac7d03
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
ac7d03
 #
ac7d03
 
ac7d03
+import collections
ac7d03
 import os
ac7d03
 import io
ac7d03
 import pwd
ac7d03
@@ -52,10 +53,26 @@ CA_NICKNAME_FMT = "%s IPA CA"
ac7d03
 
ac7d03
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
ac7d03
 
ac7d03
-EMPTY_TRUST_FLAGS = ',,'
ac7d03
-IPA_CA_TRUST_FLAGS = 'CT,C,C'
ac7d03
-EXTERNAL_CA_TRUST_FLAGS = 'C,,'
ac7d03
-TRUSTED_PEER_TRUST_FLAGS = 'P,,'
ac7d03
+TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages')
ac7d03
+
ac7d03
+EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None)
ac7d03
+
ac7d03
+IPA_CA_TRUST_FLAGS = TrustFlags(
ac7d03
+    False, True, True, frozenset({
ac7d03
+        x509.EKU_SERVER_AUTH,
ac7d03
+        x509.EKU_CLIENT_AUTH,
ac7d03
+        x509.EKU_CODE_SIGNING,
ac7d03
+        x509.EKU_EMAIL_PROTECTION,
ac7d03
+    }),
ac7d03
+)
ac7d03
+
ac7d03
+EXTERNAL_CA_TRUST_FLAGS = TrustFlags(
ac7d03
+    False, True, True, frozenset({x509.EKU_SERVER_AUTH}),
ac7d03
+)
ac7d03
+
ac7d03
+TRUSTED_PEER_TRUST_FLAGS = TrustFlags(
ac7d03
+    False, True, False, frozenset({x509.EKU_SERVER_AUTH}),
ac7d03
+)
ac7d03
 
ac7d03
 
ac7d03
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
ac7d03
@@ -87,6 +104,82 @@ def get_file_cont(slot, token, filename):
ac7d03
         return f.read()
ac7d03
 
ac7d03
 
ac7d03
+def parse_trust_flags(trust_flags):
ac7d03
+    """
ac7d03
+    Convert certutil trust flags to TrustFlags object.
ac7d03
+    """
ac7d03
+    has_key = 'u' in trust_flags
ac7d03
+
ac7d03
+    if 'p' in trust_flags:
ac7d03
+        if 'C' in trust_flags or 'P' in trust_flags or 'T' in trust_flags:
ac7d03
+            raise ValueError("cannot be both trusted and not trusted")
ac7d03
+        return False, None, None
ac7d03
+    elif 'C' in trust_flags or 'T' in trust_flags:
ac7d03
+        if 'P' in trust_flags:
ac7d03
+            raise ValueError("cannot be both CA and not CA")
ac7d03
+        ca = True
ac7d03
+    elif 'P' in trust_flags:
ac7d03
+        ca = False
ac7d03
+    else:
ac7d03
+        return TrustFlags(has_key, None, None, frozenset())
ac7d03
+
ac7d03
+    trust_flags = trust_flags.split(',')
ac7d03
+    ext_key_usage = set()
ac7d03
+    for i, kp in enumerate((x509.EKU_SERVER_AUTH,
ac7d03
+                            x509.EKU_EMAIL_PROTECTION,
ac7d03
+                            x509.EKU_CODE_SIGNING)):
ac7d03
+        if 'C' in trust_flags[i] or 'P' in trust_flags[i]:
ac7d03
+            ext_key_usage.add(kp)
ac7d03
+    if 'T' in trust_flags[0]:
ac7d03
+        ext_key_usage.add(x509.EKU_CLIENT_AUTH)
ac7d03
+
ac7d03
+    return TrustFlags(has_key, True, ca, frozenset(ext_key_usage))
ac7d03
+
ac7d03
+
ac7d03
+def unparse_trust_flags(trust_flags):
ac7d03
+    """
ac7d03
+    Convert TrustFlags object to certutil trust flags.
ac7d03
+    """
ac7d03
+    has_key, trusted, ca, ext_key_usage = trust_flags
ac7d03
+
ac7d03
+    if trusted is False:
ac7d03
+        if has_key:
ac7d03
+            return 'pu,pu,pu'
ac7d03
+        else:
ac7d03
+            return 'p,p,p'
ac7d03
+    elif trusted is None or ca is None:
ac7d03
+        if has_key:
ac7d03
+            return 'u,u,u'
ac7d03
+        else:
ac7d03
+            return ',,'
ac7d03
+    elif ext_key_usage is None:
ac7d03
+        if ca:
ac7d03
+            if has_key:
ac7d03
+                return 'CTu,Cu,Cu'
ac7d03
+            else:
ac7d03
+                return 'CT,C,C'
ac7d03
+        else:
ac7d03
+            if has_key:
ac7d03
+                return 'Pu,Pu,Pu'
ac7d03
+            else:
ac7d03
+                return 'P,P,P'
ac7d03
+
ac7d03
+    trust_flags = ['', '', '']
ac7d03
+    for i, kp in enumerate((x509.EKU_SERVER_AUTH,
ac7d03
+                            x509.EKU_EMAIL_PROTECTION,
ac7d03
+                            x509.EKU_CODE_SIGNING)):
ac7d03
+        if kp in ext_key_usage:
ac7d03
+            trust_flags[i] += ('C' if ca else 'P')
ac7d03
+    if ca and x509.EKU_CLIENT_AUTH in ext_key_usage:
ac7d03
+        trust_flags[0] += 'T'
ac7d03
+    if has_key:
ac7d03
+        for i in range(3):
ac7d03
+            trust_flags[i] += 'u'
ac7d03
+
ac7d03
+    trust_flags = ','.join(trust_flags)
ac7d03
+    return trust_flags
ac7d03
+
ac7d03
+
ac7d03
 class NSSDatabase(object):
ac7d03
     """A general-purpose wrapper around a NSS cert database
ac7d03
 
ac7d03
@@ -205,7 +298,9 @@ class NSSDatabase(object):
ac7d03
         for cert in certs:
ac7d03
             match = re.match(r'^(.+?)\s+(\w*,\w*,\w*)\s*$', cert)
ac7d03
             if match:
ac7d03
-                certlist.append(match.groups())
ac7d03
+                nickname = match.group(1)
ac7d03
+                trust_flags = parse_trust_flags(match.group(2))
ac7d03
+                certlist.append((nickname, trust_flags))
ac7d03
 
ac7d03
         return tuple(certlist)
ac7d03
 
ac7d03
@@ -218,7 +313,7 @@ class NSSDatabase(object):
ac7d03
         """
ac7d03
         server_certs = []
ac7d03
         for name, flags in self.list_certs():
ac7d03
-            if 'u' in flags:
ac7d03
+            if flags.has_key:
ac7d03
                 server_certs.append((name, flags))
ac7d03
 
ac7d03
         return server_certs
ac7d03
@@ -477,6 +572,7 @@ class NSSDatabase(object):
ac7d03
                 "No need to add trust for built-in root CAs, skipping %s" %
ac7d03
                 root_nickname)
ac7d03
         else:
ac7d03
+            trust_flags = unparse_trust_flags(trust_flags)
ac7d03
             try:
ac7d03
                 self.run_certutil(["-M", "-n", root_nickname,
ac7d03
                                    "-t", trust_flags])
ac7d03
@@ -538,6 +634,7 @@ class NSSDatabase(object):
ac7d03
                              location)
ac7d03
 
ac7d03
     def add_cert(self, cert, nick, flags, pem=False):
ac7d03
+        flags = unparse_trust_flags(flags)
ac7d03
         args = ["-A", "-n", nick, "-t", flags]
ac7d03
         if pem:
ac7d03
             args.append("-a")
ac7d03
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
ac7d03
index 0445a1d3c403fab690e5afb7c8801ed85773b1e0..5bce9894780bd920db11196b925492a7fe8f22d0 100644
ac7d03
--- a/ipaserver/install/installutils.py
ac7d03
+++ b/ipaserver/install/installutils.py
ac7d03
@@ -1034,7 +1034,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
ac7d03
                 raise ScriptError(str(e))
ac7d03
 
ac7d03
         for nickname, trust_flags in nssdb.list_certs():
ac7d03
-            if 'u' in trust_flags:
ac7d03
+            if trust_flags.has_key:
ac7d03
                 key_nickname = nickname
ac7d03
                 continue
ac7d03
             nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
ac7d03
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
ac7d03
index 88b40d45e10281d272882d21e06f5d53cf5a701d..d28a5966f054141819463cdb1dfef48ee1e46e92 100644
ac7d03
--- a/ipaserver/install/ipa_cacert_manage.py
ac7d03
+++ b/ipaserver/install/ipa_cacert_manage.py
ac7d03
@@ -26,7 +26,9 @@ import gssapi
ac7d03
 
ac7d03
 from ipalib.install import certmonger, certstore
ac7d03
 from ipapython import admintool, ipautil
ac7d03
-from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
ac7d03
+from ipapython.certdb import (EMPTY_TRUST_FLAGS,
ac7d03
+                              EXTERNAL_CA_TRUST_FLAGS,
ac7d03
+                              parse_trust_flags)
ac7d03
 from ipapython.dn import DN
ac7d03
 from ipaplatform.paths import paths
ac7d03
 from ipalib import api, errors, x509
ac7d03
@@ -366,6 +368,8 @@ class CACertManage(admintool.AdminTool):
ac7d03
             len(trust_flags.split(',')) != 3):
ac7d03
             raise admintool.ScriptError("Invalid trust flags")
ac7d03
 
ac7d03
+        trust_flags = parse_trust_flags(trust_flags)
ac7d03
+
ac7d03
         try:
ac7d03
             certstore.put_ca_cert_nss(
ac7d03
                 api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags)
ac7d03
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
ac7d03
index ee93535edfd258fe71099881c54c413516b24d17..9f2cd9573a156949ae979e7b69fbd23adaf2feb8 100644
ac7d03
--- a/ipaserver/install/ipa_server_certinstall.py
ac7d03
+++ b/ipaserver/install/ipa_server_certinstall.py
ac7d03
@@ -170,13 +170,13 @@ class ServerCertInstall(admintool.AdminTool):
ac7d03
             # this leaves only the server certs in the temp db
ac7d03
             tempnssdb.import_pkcs12(pkcs12_filename, pkcs12_pin)
ac7d03
             for nickname, flags in tempnssdb.list_certs():
ac7d03
-                if 'u' not in flags:
ac7d03
+                if not flags.has_key:
ac7d03
                     while tempnssdb.has_nickname(nickname):
ac7d03
                         tempnssdb.delete_cert(nickname)
ac7d03
 
ac7d03
             # import all the CA certs from nssdb into the temp db
ac7d03
             for nickname, flags in nssdb.list_certs():
ac7d03
-                if 'u' not in flags:
ac7d03
+                if not flags.has_key:
ac7d03
                     cert = nssdb.get_cert_from_db(nickname)
ac7d03
                     tempnssdb.add_cert(cert, nickname, flags)
ac7d03
 
ac7d03
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
ac7d03
index 7d294ff971bd109e5fbb3570bfff0198f24b68d3..73cc91d8f6dd5811ec74efecd6c885cd8937a0f2 100644
ac7d03
--- a/ipaserver/install/plugins/upload_cacrt.py
ac7d03
+++ b/ipaserver/install/plugins/upload_cacrt.py
ac7d03
@@ -52,7 +52,7 @@ class update_upload_cacrt(Updater):
ac7d03
         ldap = self.api.Backend.ldap2
ac7d03
 
ac7d03
         for nickname, trust_flags in db.list_certs():
ac7d03
-            if 'u' in trust_flags:
ac7d03
+            if trust_flags.has_key:
ac7d03
                 continue
ac7d03
             if nickname == ca_nickname and ca_enabled:
ac7d03
                 trust_flags = certdb.IPA_CA_TRUST_FLAGS
ac7d03
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
ac7d03
index 73a4f1108a56a766cdbbcb93d7050482a8264a75..c244958f4cddba0d1edded5165a295b1e1ee2b8a 100644
ac7d03
--- a/ipaserver/install/server/upgrade.py
ac7d03
+++ b/ipaserver/install/server/upgrade.py
ac7d03
@@ -1547,7 +1547,7 @@ def disable_httpd_system_trust(http):
ac7d03
 
ac7d03
     db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
ac7d03
     for nickname, trust_flags in db.list_certs():
ac7d03
-        if 'u' not in trust_flags:
ac7d03
+        if not trust_flags.has_key:
ac7d03
             cert = db.get_cert_from_db(nickname, pem=False)
ac7d03
             if cert:
ac7d03
                 ca_certs.append((cert, nickname, trust_flags))
ac7d03
-- 
ac7d03
2.9.4
ac7d03