pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0156-server-certinstall-support-PKINIT.patch

ac7d03
From 96afd05dda2ce502994b6c9ceae819d79d96a666 Mon Sep 17 00:00:00 2001
ac7d03
From: Jan Cholasta <jcholast@redhat.com>
ac7d03
Date: Wed, 3 May 2017 06:18:05 +0000
ac7d03
Subject: [PATCH] server certinstall: support PKINIT
ac7d03
ac7d03
Allow replacing the KDC certificate.
ac7d03
ac7d03
https://pagure.io/freeipa/issue/6831
ac7d03
ac7d03
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ac7d03
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ac7d03
---
ac7d03
 install/tools/man/ipa-server-certinstall.1  |  5 ++-
ac7d03
 ipaserver/install/ipa_server_certinstall.py | 70 +++++++++++++++++++++++++++--
ac7d03
 2 files changed, 70 insertions(+), 5 deletions(-)
ac7d03
ac7d03
diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
ac7d03
index d23bbd490e2b0454b8fb908e22f33c7a611c8874..35cd8c6c711119d7c782c6a89ac78b4894cec073 100644
ac7d03
--- a/install/tools/man/ipa-server-certinstall.1
ac7d03
+++ b/install/tools/man/ipa-server-certinstall.1
ac7d03
@@ -22,7 +22,7 @@ ipa\-server\-certinstall \- Install new SSL server certificates
ac7d03
 .SH "SYNOPSIS"
ac7d03
 ipa\-server\-certinstall [\fIOPTION\fR]... FILE...
ac7d03
 .SH "DESCRIPTION"
ac7d03
-Replace the current SSL Directory and/or Apache server certificate(s) with the certificate in the specified files. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
ac7d03
+Replace the current Directory server SSL certificate, Apache server SSL certificate and/or Kerberos KDC certificate with the certificate in the specified files. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
ac7d03
 
ac7d03
 PKCS#12 is a file format used to safely transport SSL certificates and public/private keypairs.
ac7d03
 
ac7d03
@@ -37,6 +37,9 @@ Install the certificate on the Directory Server
ac7d03
 \fB\-w\fR, \fB\-\-http\fR
ac7d03
 Install the certificate in the Apache Web Server
ac7d03
 .TP
ac7d03
+\fB\-k\fR, \fB\-\-kdc\fR
ac7d03
+Install the certificate in the Kerberos KDC
ac7d03
+.TP
ac7d03
 \fB\-\-pin\fR=\fIPIN\fR
ac7d03
 The password to unlock the private key
ac7d03
 .TP
ac7d03
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
ac7d03
index 9f2cd9573a156949ae979e7b69fbd23adaf2feb8..a14a84f188c62170c8ac11f823ebba60609e4cc7 100644
ac7d03
--- a/ipaserver/install/ipa_server_certinstall.py
ac7d03
+++ b/ipaserver/install/ipa_server_certinstall.py
ac7d03
@@ -21,12 +21,17 @@
ac7d03
 import os
ac7d03
 import os.path
ac7d03
 import pwd
ac7d03
+import tempfile
ac7d03
 import optparse  # pylint: disable=deprecated-module
ac7d03
 
ac7d03
+from ipalib import x509
ac7d03
+from ipalib.install import certmonger
ac7d03
 from ipaplatform.constants import constants
ac7d03
 from ipaplatform.paths import paths
ac7d03
 from ipapython import admintool
ac7d03
-from ipapython.certdb import get_ca_nickname, NSSDatabase
ac7d03
+from ipapython.certdb import (get_ca_nickname,
ac7d03
+                              NSSDatabase,
ac7d03
+                              verify_kdc_cert_validity)
ac7d03
 from ipapython.dn import DN
ac7d03
 from ipalib import api, errors
ac7d03
 from ipaserver.install import certs, dsinstance, installutils
ac7d03
@@ -35,7 +40,7 @@ from ipaserver.install import certs, dsinstance, installutils
ac7d03
 class ServerCertInstall(admintool.AdminTool):
ac7d03
     command_name = 'ipa-server-certinstall'
ac7d03
 
ac7d03
-    usage = "%prog <-d|-w> [options] <file> ..."
ac7d03
+    usage = "%prog <-d|-w|-k> [options] <file> ..."
ac7d03
 
ac7d03
     description = "Install new SSL server certificates."
ac7d03
 
ac7d03
@@ -52,6 +57,10 @@ class ServerCertInstall(admintool.AdminTool):
ac7d03
             dest="http", action="store_true", default=False,
ac7d03
             help="install certificate for the http server")
ac7d03
         parser.add_option(
ac7d03
+            "-k", "--kdc",
ac7d03
+            dest="kdc", action="store_true", default=False,
ac7d03
+            help="install PKINIT certificate for the KDC")
ac7d03
+        parser.add_option(
ac7d03
             "--pin",
ac7d03
             dest="pin", metavar="PIN", sensitive=True,
ac7d03
             help="The password of the PKCS#12 file")
ac7d03
@@ -73,8 +82,9 @@ class ServerCertInstall(admintool.AdminTool):
ac7d03
 
ac7d03
         installutils.check_server_configuration()
ac7d03
 
ac7d03
-        if not self.options.dirsrv and not self.options.http:
ac7d03
-            self.option_parser.error("you must specify dirsrv and/or http")
ac7d03
+        if not any((self.options.dirsrv, self.options.http, self.options.kdc)):
ac7d03
+            self.option_parser.error(
ac7d03
+                "you must specify dirsrv, http and/or kdc")
ac7d03
 
ac7d03
         if not self.args:
ac7d03
             self.option_parser.error("you must provide certificate filename")
ac7d03
@@ -108,6 +118,9 @@ class ServerCertInstall(admintool.AdminTool):
ac7d03
         if self.options.http:
ac7d03
             self.install_http_cert()
ac7d03
 
ac7d03
+        if self.options.kdc:
ac7d03
+            self.install_kdc_cert()
ac7d03
+
ac7d03
         api.Backend.ldap2.disconnect()
ac7d03
 
ac7d03
     def install_dirsrv_cert(self):
ac7d03
@@ -161,6 +174,55 @@ class ServerCertInstall(admintool.AdminTool):
ac7d03
         os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
ac7d03
         os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
ac7d03
 
ac7d03
+    def install_kdc_cert(self):
ac7d03
+        ca_cert_file = paths.CA_BUNDLE_PEM
ac7d03
+        pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
ac7d03
+            cert_files=self.args,
ac7d03
+            key_password=self.options.pin,
ac7d03
+            key_nickname=self.options.cert_name,
ac7d03
+            ca_cert_files=[ca_cert_file],
ac7d03
+            realm_name=api.env.realm)
ac7d03
+
ac7d03
+        cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
ac7d03
+
ac7d03
+        # Check that the ca_cert is known and trusted
ac7d03
+        with tempfile.NamedTemporaryFile() as temp:
ac7d03
+            certs.install_pem_from_p12(pkcs12_file.name, pin, temp.name)
ac7d03
+
ac7d03
+            kdc_cert = x509.load_certificate_from_file(temp.name)
ac7d03
+            ca_certs = x509.load_certificate_list_from_file(ca_cert_file)
ac7d03
+
ac7d03
+            try:
ac7d03
+                verify_kdc_cert_validity(kdc_cert, ca_certs, api.env.realm)
ac7d03
+            except ValueError as e:
ac7d03
+                raise admintool.ScriptError(
ac7d03
+                    "Peer's certificate issuer is not trusted (%s). "
ac7d03
+                    "Please run ipa-cacert-manage install and ipa-certupdate "
ac7d03
+                    "to install the CA certificate." % str(e))
ac7d03
+
ac7d03
+        try:
ac7d03
+            ca_enabled = api.Command.ca_is_enabled()['result']
ac7d03
+            if ca_enabled:
ac7d03
+                certmonger.stop_tracking(certfile=paths.KDC_CERT)
ac7d03
+
ac7d03
+            certs.install_pem_from_p12(pkcs12_file.name, pin, paths.KDC_CERT)
ac7d03
+            certs.install_key_from_p12(pkcs12_file.name, pin, paths.KDC_KEY)
ac7d03
+
ac7d03
+            if ca_enabled:
ac7d03
+                # Start tracking only if the cert was issued by IPA CA
ac7d03
+                # Retrieve IPA CA
ac7d03
+                ipa_ca_cert = cdb.get_cert_from_db(
ac7d03
+                    get_ca_nickname(api.env.realm),
ac7d03
+                    pem=False)
ac7d03
+                # And compare with the CA which signed this certificate
ac7d03
+                if ca_cert == ipa_ca_cert:
ac7d03
+                    certmonger.start_tracking(
ac7d03
+                        (paths.KDC_CERT, paths.KDC_KEY),
ac7d03
+                        storage='FILE',
ac7d03
+                        profile='KDCs_PKINIT_Certs')
ac7d03
+        except RuntimeError as e:
ac7d03
+            raise admintool.ScriptError(str(e))
ac7d03
+
ac7d03
     def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):
ac7d03
         # create a temp nssdb
ac7d03
         with NSSDatabase() as tempnssdb:
ac7d03
-- 
ac7d03
2.9.4
ac7d03