From e8805e118446a1ad542d183e2f6bea0f87651795 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Thu, 27 Apr 2017 09:37:38 +0200

Subject: [PATCH] certdb: use custom object for trust flags

Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`

class encapsulates `certstore` key policy and has an additional flag

indicating the presence of a private key.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 install/restart_scripts/renew_ca_cert       |   2 +-

 ipalib/install/certstore.py                 |  49 +------------

 ipapython/certdb.py                         | 109 ++++++++++++++++++++++++++--

 ipaserver/install/installutils.py           |   2 +-

 ipaserver/install/ipa_cacert_manage.py      |   6 +-

 ipaserver/install/ipa_server_certinstall.py |   4 +-

 ipaserver/install/plugins/upload_cacrt.py   |   2 +-

 ipaserver/install/server/upgrade.py         |   2 +-

 8 files changed, 117 insertions(+), 59 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert

index 7a54b4c7e05a35b40b17e46b75ff8d47db1b2d23..bb31defc0e2bdca044e68ae067f42fb3bd41a57f 100644

--- a/install/restart_scripts/renew_ca_cert

+++ b/install/restart_scripts/renew_ca_cert

@@ -125,7 +125,7 @@ def _main():

             # Remove old external CA certificates

             for ca_nick, ca_flags in db.list_certs():

-                if 'u' in ca_flags:

+                if ca_flags.has_key:

                     continue

                 # Delete *all* certificates that use the nickname

                 while True:

diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py

index 310e08ed2273badba6fde4ada0ee52501fddc72c..bc2079fb12873444cbe6796eebfdfcfebd0e284d 100644

--- a/ipalib/install/certstore.py

+++ b/ipalib/install/certstore.py

@@ -25,7 +25,7 @@ LDAP shared certificate store.

 from pyasn1.error import PyAsn1Error

 from ipapython.dn import DN

-from ipapython.certdb import get_ca_nickname

+from ipapython.certdb import get_ca_nickname, TrustFlags

 from ipalib import errors, x509

 def _parse_cert(dercert):

@@ -344,57 +344,14 @@ def trust_flags_to_key_policy(trust_flags):

     """

     Convert certutil trust flags to certificate store key policy.

     """

-    if 'p' in trust_flags:

-        if 'C' in trust_flags or 'P' in trust_flags or 'T' in trust_flags:

-            raise ValueError("cannot be both trusted and not trusted")

-        return False, None, None

-    elif 'C' in trust_flags or 'T' in trust_flags:

-        if 'P' in trust_flags:

-            raise ValueError("cannot be both CA and not CA")

-        ca = True

-    elif 'P' in trust_flags:

-        ca = False

-    else:

-        return None, None, set()

-

-    trust_flags = trust_flags.split(',')

-    ext_key_usage = set()

-    for i, kp in enumerate((x509.EKU_SERVER_AUTH,

-                            x509.EKU_EMAIL_PROTECTION,

-                            x509.EKU_CODE_SIGNING)):

-        if 'C' in trust_flags[i] or 'P' in trust_flags[i]:

-            ext_key_usage.add(kp)

-    if 'T' in trust_flags[0]:

-        ext_key_usage.add(x509.EKU_CLIENT_AUTH)

-

-    return True, ca, ext_key_usage

+    return trust_flags[1:]

 def key_policy_to_trust_flags(trusted, ca, ext_key_usage):

     """

     Convert certificate store key policy to certutil trust flags.

     """

-    if trusted is False:

-        return 'p,p,p'

-    elif trusted is None or ca is None:

-        return ',,'

-    elif ext_key_usage is None:

-        if ca:

-            return 'CT,C,C'

-        else:

-            return 'P,P,P'

-

-    trust_flags = ['', '', '']

-    for i, kp in enumerate((x509.EKU_SERVER_AUTH,

-                            x509.EKU_EMAIL_PROTECTION,

-                            x509.EKU_CODE_SIGNING)):

-        if kp in ext_key_usage:

-            trust_flags[i] += ('C' if ca else 'P')

-    if ca and x509.EKU_CLIENT_AUTH in ext_key_usage:

-        trust_flags[0] += 'T'

-

-    trust_flags = ','.join(trust_flags)

-    return trust_flags

+    return TrustFlags(False, trusted, ca, ext_key_usage)

 def put_ca_cert_nss(ldap, base_dn, dercert, nickname, trust_flags,

diff --git a/ipapython/certdb.py b/ipapython/certdb.py

index 88dcae750de5881ae7b4921ca1ae23daa9c5d4b0..af95eba3cbad1c354615457ed0501f97bff0e22d 100644

--- a/ipapython/certdb.py

+++ b/ipapython/certdb.py

@@ -17,6 +17,7 @@

 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 #

+import collections

 import os

 import io

 import pwd

@@ -52,10 +53,26 @@ CA_NICKNAME_FMT = "%s IPA CA"

 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")

-EMPTY_TRUST_FLAGS = ',,'

-IPA_CA_TRUST_FLAGS = 'CT,C,C'

-EXTERNAL_CA_TRUST_FLAGS = 'C,,'

-TRUSTED_PEER_TRUST_FLAGS = 'P,,'

+TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages')

+

+EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None)

+

+IPA_CA_TRUST_FLAGS = TrustFlags(

+    False, True, True, frozenset({

+        x509.EKU_SERVER_AUTH,

+        x509.EKU_CLIENT_AUTH,

+        x509.EKU_CODE_SIGNING,

+        x509.EKU_EMAIL_PROTECTION,

+    }),

+)

+

+EXTERNAL_CA_TRUST_FLAGS = TrustFlags(

+    False, True, True, frozenset({x509.EKU_SERVER_AUTH}),

+)

+

+TRUSTED_PEER_TRUST_FLAGS = TrustFlags(

+    False, True, False, frozenset({x509.EKU_SERVER_AUTH}),

+)

 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):

@@ -87,6 +104,82 @@ def get_file_cont(slot, token, filename):

         return f.read()

+def parse_trust_flags(trust_flags):

+    """

+    Convert certutil trust flags to TrustFlags object.

+    """

+    has_key = 'u' in trust_flags

+

+    if 'p' in trust_flags:

+        if 'C' in trust_flags or 'P' in trust_flags or 'T' in trust_flags:

+            raise ValueError("cannot be both trusted and not trusted")

+        return False, None, None

+    elif 'C' in trust_flags or 'T' in trust_flags:

+        if 'P' in trust_flags:

+            raise ValueError("cannot be both CA and not CA")

+        ca = True

+    elif 'P' in trust_flags:

+        ca = False

+    else:

+        return TrustFlags(has_key, None, None, frozenset())

+

+    trust_flags = trust_flags.split(',')

+    ext_key_usage = set()

+    for i, kp in enumerate((x509.EKU_SERVER_AUTH,

+                            x509.EKU_EMAIL_PROTECTION,

+                            x509.EKU_CODE_SIGNING)):

+        if 'C' in trust_flags[i] or 'P' in trust_flags[i]:

+            ext_key_usage.add(kp)

+    if 'T' in trust_flags[0]:

+        ext_key_usage.add(x509.EKU_CLIENT_AUTH)

+

+    return TrustFlags(has_key, True, ca, frozenset(ext_key_usage))

+

+

+def unparse_trust_flags(trust_flags):

+    """

+    Convert TrustFlags object to certutil trust flags.

+    """

+    has_key, trusted, ca, ext_key_usage = trust_flags

+

+    if trusted is False:

+        if has_key:

+            return 'pu,pu,pu'

+        else:

+            return 'p,p,p'

+    elif trusted is None or ca is None:

+        if has_key:

+            return 'u,u,u'

+        else:

+            return ',,'

+    elif ext_key_usage is None:

+        if ca:

+            if has_key:

+                return 'CTu,Cu,Cu'

+            else:

+                return 'CT,C,C'

+        else:

+            if has_key:

+                return 'Pu,Pu,Pu'

+            else:

+                return 'P,P,P'

+

+    trust_flags = ['', '', '']

+    for i, kp in enumerate((x509.EKU_SERVER_AUTH,

+                            x509.EKU_EMAIL_PROTECTION,

+                            x509.EKU_CODE_SIGNING)):

+        if kp in ext_key_usage:

+            trust_flags[i] += ('C' if ca else 'P')

+    if ca and x509.EKU_CLIENT_AUTH in ext_key_usage:

+        trust_flags[0] += 'T'

+    if has_key:

+        for i in range(3):

+            trust_flags[i] += 'u'

+

+    trust_flags = ','.join(trust_flags)

+    return trust_flags

+

+

 class NSSDatabase(object):

     """A general-purpose wrapper around a NSS cert database

@@ -205,7 +298,9 @@ class NSSDatabase(object):

         for cert in certs:

             match = re.match(r'^(.+?)\s+(\w*,\w*,\w*)\s*$', cert)

             if match:

-                certlist.append(match.groups())

+                nickname = match.group(1)

+                trust_flags = parse_trust_flags(match.group(2))

+                certlist.append((nickname, trust_flags))

         return tuple(certlist)

@@ -218,7 +313,7 @@ class NSSDatabase(object):

         """

         server_certs = []

         for name, flags in self.list_certs():

-            if 'u' in flags:

+            if flags.has_key:

                 server_certs.append((name, flags))

         return server_certs

@@ -477,6 +572,7 @@ class NSSDatabase(object):

                 "No need to add trust for built-in root CAs, skipping %s" %

                 root_nickname)

         else:

+            trust_flags = unparse_trust_flags(trust_flags)

             try:

                 self.run_certutil(["-M", "-n", root_nickname,

                                    "-t", trust_flags])

@@ -538,6 +634,7 @@ class NSSDatabase(object):

                              location)

     def add_cert(self, cert, nick, flags, pem=False):

+        flags = unparse_trust_flags(flags)

         args = ["-A", "-n", nick, "-t", flags]

         if pem:

             args.append("-a")

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py

index 0445a1d3c403fab690e5afb7c8801ed85773b1e0..5bce9894780bd920db11196b925492a7fe8f22d0 100644

--- a/ipaserver/install/installutils.py

+++ b/ipaserver/install/installutils.py

@@ -1034,7 +1034,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,

                 raise ScriptError(str(e))

         for nickname, trust_flags in nssdb.list_certs():

-            if 'u' in trust_flags:

+            if trust_flags.has_key:

                 key_nickname = nickname

                 continue

             nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)

diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py

index 88b40d45e10281d272882d21e06f5d53cf5a701d..d28a5966f054141819463cdb1dfef48ee1e46e92 100644

--- a/ipaserver/install/ipa_cacert_manage.py

+++ b/ipaserver/install/ipa_cacert_manage.py

@@ -26,7 +26,9 @@ import gssapi

 from ipalib.install import certmonger, certstore

 from ipapython import admintool, ipautil

-from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS

+from ipapython.certdb import (EMPTY_TRUST_FLAGS,

+                              EXTERNAL_CA_TRUST_FLAGS,

+                              parse_trust_flags)

 from ipapython.dn import DN

 from ipaplatform.paths import paths

 from ipalib import api, errors, x509

@@ -366,6 +368,8 @@ class CACertManage(admintool.AdminTool):

             len(trust_flags.split(',')) != 3):

             raise admintool.ScriptError("Invalid trust flags")

+        trust_flags = parse_trust_flags(trust_flags)

+

         try:

             certstore.put_ca_cert_nss(

                 api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags)

diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py

index ee93535edfd258fe71099881c54c413516b24d17..9f2cd9573a156949ae979e7b69fbd23adaf2feb8 100644

--- a/ipaserver/install/ipa_server_certinstall.py

+++ b/ipaserver/install/ipa_server_certinstall.py

@@ -170,13 +170,13 @@ class ServerCertInstall(admintool.AdminTool):

             # this leaves only the server certs in the temp db

             tempnssdb.import_pkcs12(pkcs12_filename, pkcs12_pin)

             for nickname, flags in tempnssdb.list_certs():

-                if 'u' not in flags:

+                if not flags.has_key:

                     while tempnssdb.has_nickname(nickname):

                         tempnssdb.delete_cert(nickname)

             # import all the CA certs from nssdb into the temp db

             for nickname, flags in nssdb.list_certs():

-                if 'u' not in flags:

+                if not flags.has_key:

                     cert = nssdb.get_cert_from_db(nickname)

                     tempnssdb.add_cert(cert, nickname, flags)

diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py

index 7d294ff971bd109e5fbb3570bfff0198f24b68d3..73cc91d8f6dd5811ec74efecd6c885cd8937a0f2 100644

--- a/ipaserver/install/plugins/upload_cacrt.py

+++ b/ipaserver/install/plugins/upload_cacrt.py

@@ -52,7 +52,7 @@ class update_upload_cacrt(Updater):

         ldap = self.api.Backend.ldap2

         for nickname, trust_flags in db.list_certs():

-            if 'u' in trust_flags:

+            if trust_flags.has_key:

                 continue

             if nickname == ca_nickname and ca_enabled:

                 trust_flags = certdb.IPA_CA_TRUST_FLAGS

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index 73a4f1108a56a766cdbbcb93d7050482a8264a75..c244958f4cddba0d1edded5165a295b1e1ee2b8a 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -1547,7 +1547,7 @@ def disable_httpd_system_trust(http):

     db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)

     for nickname, trust_flags in db.list_certs():

-        if 'u' not in trust_flags:

+        if not trust_flags.has_key:

             cert = db.get_cert_from_db(nickname, pem=False)

             if cert:

                 ca_certs.append((cert, nickname, trust_flags))

-- 

2.9.4