From 8ee71c8aab262ba0041ee9ac84fb862a5fda32cf Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 21 Jan 2016 15:48:30 +0100
Subject: [PATCH] replica install: validate DS and HTTP server certificates

Validate the DS and HTTP certificates from the replica info file early in
ipa-replica-install to prevent crashes later.

https://fedorahosted.org/freeipa/ticket/5598

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 31 +++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index a5d4a77f3daa8110ad0be064085b12b20da853cf..317eda92dd4322542f035c2df4dba919a5898cc7 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -356,6 +356,8 @@ def install_check(installer):
     config.setup_ca = options.setup_ca
     config.setup_kra = options.setup_kra
 
+    ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
+
     # Create the management framework config file
     # Note: We must do this before bootstraping and finalizing ipalib.api
     old_umask = os.umask(022)   # must be readable for httpd
@@ -371,7 +373,7 @@ def install_check(installer):
                  ipautil.format_netloc(config.host_name))
         fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
                  installutils.realm_to_serverid(config.realm_name))
-        if ipautil.file_exists(config.dir + "/cacert.p12"):
+        if ca_enabled:
             fd.write("enable_ra=True\n")
             fd.write("ra_plugin=dogtag\n")
             fd.write("dogtag_version=%s\n" %
@@ -395,6 +397,33 @@ def install_check(installer):
         raise RuntimeError("CA cert file is not available. Please run "
                            "ipa-replica-prepare to create a new replica file.")
 
+    for pkcs12_name, pin_name in (('dscert.p12', 'dirsrv_pin.txt'),
+                                  ('httpcert.p12', 'http_pin.txt')):
+        pkcs12_info = make_pkcs12_info(config.dir, pkcs12_name, pin_name)
+        tmp_db_dir = tempfile.mkdtemp('ipa')
+        try:
+            tmp_db = certs.CertDB(config.realm_name,
+                                  nssdir=tmp_db_dir,
+                                  subject_base=config.subject_base)
+            if ca_enabled:
+                trust_flags = 'CT,C,C'
+            else:
+                trust_flags = None
+            tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
+                                      ca_file=cafile,
+                                      trust_flags=trust_flags)
+            if not tmp_db.find_server_certs():
+                raise RuntimeError(
+                    "Could not find a suitable server cert in import in %s" %
+                    pkcs12_info[0])
+        except Exception as e:
+            root_logger.error('%s', e)
+            raise RuntimeError(
+                "Server cert is not valid. Please run ipa-replica-prepare to "
+                "create a new replica file.")
+        finally:
+            shutil.rmtree(tmp_db_dir)
+
     ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
     remote_api = create_api(mode=None)
     remote_api.bootstrap(in_server=True, context='installer',
-- 
2.5.0