|
 |
e0ab38 |
From 3daffad0d0e14790147fb7a3ba9be7072b79f3e2 Mon Sep 17 00:00:00 2001
|
|
|
e0ab38 |
From: Petr Spacek <pspacek@redhat.com>
|
|
|
e0ab38 |
Date: Tue, 15 Dec 2015 14:13:23 +0100
|
|
|
e0ab38 |
Subject: [PATCH] DNSSEC: add debug mode to ldapkeydb.py
|
|
|
e0ab38 |
|
|
|
e0ab38 |
ldapkeydb.py can be executed directly now. In that case it will print
|
|
|
e0ab38 |
out key metadata as obtained using IPA LDAP API.
|
|
|
e0ab38 |
|
|
|
e0ab38 |
Kerberos credential cache has to be filled with principal posessing
|
|
|
e0ab38 |
appropriate access rights before the script is execured.
|
|
|
e0ab38 |
|
|
|
e0ab38 |
https://fedorahosted.org/freeipa/ticket/5348
|
|
|
e0ab38 |
|
|
|
e0ab38 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
e0ab38 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
e0ab38 |
---
|
|
|
e0ab38 |
ipapython/dnssec/ldapkeydb.py | 54 +++++++++++++++++++++++++++++++++++++++++--
|
|
|
e0ab38 |
1 file changed, 52 insertions(+), 2 deletions(-)
|
|
|
e0ab38 |
|
|
|
e0ab38 |
diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py
|
|
|
e0ab38 |
index 74371ae19ca2fb7564a343cc79be20798b99f6d2..54a1fba1d2db8f27c9c9b881ff42201365852587 100644
|
|
|
e0ab38 |
--- a/ipapython/dnssec/ldapkeydb.py
|
|
|
e0ab38 |
+++ b/ipapython/dnssec/ldapkeydb.py
|
|
|
e0ab38 |
@@ -4,6 +4,8 @@
|
|
|
e0ab38 |
|
|
|
e0ab38 |
from binascii import hexlify
|
|
|
e0ab38 |
import collections
|
|
|
e0ab38 |
+import logging
|
|
|
e0ab38 |
+from pprint import pprint
|
|
|
e0ab38 |
import sys
|
|
|
e0ab38 |
import time
|
|
|
e0ab38 |
|
|
|
e0ab38 |
@@ -11,6 +13,7 @@ import ipalib
|
|
|
e0ab38 |
from ipapython.dn import DN
|
|
|
e0ab38 |
from ipapython import ipaldap
|
|
|
e0ab38 |
from ipapython import ipautil
|
|
|
e0ab38 |
+from ipapython import ipa_log_manager
|
|
|
e0ab38 |
from ipaplatform.paths import paths
|
|
|
e0ab38 |
|
|
|
e0ab38 |
from abshsm import attrs_name2id, attrs_id2name, bool_attr_names, populate_pkcs11_metadata, AbstractHSM
|
|
|
e0ab38 |
@@ -135,8 +138,12 @@ class Key(collections.MutableMapping):
|
|
|
e0ab38 |
def __len__(self):
|
|
|
e0ab38 |
return len(self.entry)
|
|
|
e0ab38 |
|
|
|
e0ab38 |
- def __str__(self):
|
|
|
e0ab38 |
- return str(self.entry)
|
|
|
e0ab38 |
+ def __repr__(self):
|
|
|
e0ab38 |
+ sanitized = dict(self.entry)
|
|
|
e0ab38 |
+ for attr in ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo']:
|
|
|
e0ab38 |
+ if attr in sanitized:
|
|
|
e0ab38 |
+ del sanitized[attr]
|
|
|
e0ab38 |
+ return repr(sanitized)
|
|
|
e0ab38 |
|
|
|
e0ab38 |
def _cleanup_key(self):
|
|
|
e0ab38 |
"""remove default values from LDAP entry"""
|
|
|
e0ab38 |
@@ -347,3 +354,46 @@ class LdapKeyDB(AbstractHSM):
|
|
|
e0ab38 |
'(&(objectClass=ipk11PrivateKey)(objectClass=ipaPrivateKeyObject)(objectClass=ipk11PublicKey)(objectClass=ipaPublicKeyObject))'))
|
|
|
e0ab38 |
|
|
|
e0ab38 |
return self.cache_zone_keypairs
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+if __name__ == '__main__':
|
|
|
e0ab38 |
+ # this is debugging mode
|
|
|
e0ab38 |
+ # print information we think are useful to stdout
|
|
|
e0ab38 |
+ # other garbage goes via logger to stderr
|
|
|
e0ab38 |
+ ipa_log_manager.standard_logging_setup(debug=True)
|
|
|
e0ab38 |
+ log = ipa_log_manager.root_logger
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ # IPA framework initialization
|
|
|
e0ab38 |
+ ipalib.api.bootstrap(in_server=True, log=None) # no logging to file
|
|
|
e0ab38 |
+ ipalib.api.finalize()
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ # LDAP initialization
|
|
|
e0ab38 |
+ dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn)
|
|
|
e0ab38 |
+ ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
|
|
|
e0ab38 |
+ log.debug('Connecting to LDAP')
|
|
|
e0ab38 |
+ # GSSAPI will be used, used has to be kinited already
|
|
|
e0ab38 |
+ ldap.gssapi_bind()
|
|
|
e0ab38 |
+ log.debug('Connected')
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
|
|
|
e0ab38 |
+ ipalib.api.env.container_dns,
|
|
|
e0ab38 |
+ ipalib.api.env.basedn))
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ print('replica public keys: CKA_WRAP = TRUE')
|
|
|
e0ab38 |
+ print('====================================')
|
|
|
e0ab38 |
+ for pubkey_id, pubkey in ldapkeydb.replica_pubkeys_wrap.items():
|
|
|
e0ab38 |
+ print(hexlify(pubkey_id))
|
|
|
e0ab38 |
+ pprint(pubkey)
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ print('')
|
|
|
e0ab38 |
+ print('master keys')
|
|
|
e0ab38 |
+ print('===========')
|
|
|
e0ab38 |
+ for mkey_id, mkey in ldapkeydb.master_keys.items():
|
|
|
e0ab38 |
+ print(hexlify(mkey_id))
|
|
|
e0ab38 |
+ pprint(mkey)
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ print('')
|
|
|
e0ab38 |
+ print('zone key pairs')
|
|
|
e0ab38 |
+ print('==============')
|
|
|
e0ab38 |
+ for key_id, key in ldapkeydb.zone_keypairs.items():
|
|
|
e0ab38 |
+ print(hexlify(key_id))
|
|
|
e0ab38 |
+ pprint(key)
|
|
|
e0ab38 |
--
|
|
|
e0ab38 |
2.4.3
|
|
|
e0ab38 |
|