|
 |
b38368 |
From 4a9ff573f1c9c91e1e2e1e2d7de70951b7333fb4 Mon Sep 17 00:00:00 2001
|
|
|
b38368 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
b38368 |
Date: Fri, 23 Jun 2017 15:47:48 +0200
|
|
|
b38368 |
Subject: [PATCH] smart card advise: use password when changing trust flags on
|
|
|
b38368 |
HTTP cert
|
|
|
b38368 |
|
|
|
b38368 |
This is to prevent NSS asking for database password when operating in
|
|
|
b38368 |
FIPS 140 mode.
|
|
|
b38368 |
|
|
|
b38368 |
https://pagure.io/freeipa/issue/7036
|
|
|
b38368 |
|
|
|
b38368 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
b38368 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
b38368 |
---
|
|
|
b38368 |
ipaserver/advise/plugins/smart_card_auth.py | 9 +++++++--
|
|
|
b38368 |
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
b38368 |
|
|
|
b38368 |
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
|
|
|
b38368 |
index 3ff94be1e8b108668989602b1b406a39d23ff501..5134db535e8f10e8cf850dbf0696b679aacec4f5 100644
|
|
|
b38368 |
--- a/ipaserver/advise/plugins/smart_card_auth.py
|
|
|
b38368 |
+++ b/ipaserver/advise/plugins/smart_card_auth.py
|
|
|
b38368 |
@@ -2,6 +2,8 @@
|
|
|
b38368 |
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
|
|
|
b38368 |
#
|
|
|
b38368 |
|
|
|
b38368 |
+import os
|
|
|
b38368 |
+
|
|
|
b38368 |
from ipalib.plugable import Registry
|
|
|
b38368 |
from ipaplatform import services
|
|
|
b38368 |
from ipaplatform.paths import paths
|
|
|
b38368 |
@@ -172,6 +174,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
|
|
b38368 |
return fmt_line.format(directive=directive, filename=filename)
|
|
|
b38368 |
|
|
|
b38368 |
def mark_httpd_cert_as_trusted(self):
|
|
|
b38368 |
+ httpd_nss_database_pwd_file = os.path.join(
|
|
|
b38368 |
+ paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
|
|
|
b38368 |
self.log.comment(
|
|
|
b38368 |
'mark the HTTP certificate as trusted peer to avoid '
|
|
|
b38368 |
'chicken-egg startup issue')
|
|
|
b38368 |
@@ -181,8 +185,9 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
|
|
b38368 |
" cut -f 2 -d ' ')"))
|
|
|
b38368 |
|
|
|
b38368 |
self.log.exit_on_failed_command(
|
|
|
b38368 |
- 'certutil -M -n $http_cert_nick -d "{}" -t "Pu,u,u"'.format(
|
|
|
b38368 |
- paths.HTTPD_ALIAS_DIR),
|
|
|
b38368 |
+ 'certutil -M -n $http_cert_nick -d "{}" -f {} -t "Pu,u,u"'.format(
|
|
|
b38368 |
+ paths.HTTPD_ALIAS_DIR,
|
|
|
b38368 |
+ httpd_nss_database_pwd_file),
|
|
|
b38368 |
['Can not set trust flags on HTTP certificate'])
|
|
|
b38368 |
|
|
|
b38368 |
def _interpolate_nssnickname_directive_file_into_command(self, fmt_line):
|
|
|
b38368 |
--
|
|
|
b38368 |
2.9.4
|
|
|
b38368 |
|