pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Blob Blame History Raw
From e8805e118446a1ad542d183e2f6bea0f87651795 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 27 Apr 2017 09:37:38 +0200
Subject: [PATCH] certdb: use custom object for trust flags

Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 install/restart_scripts/renew_ca_cert       |   2 +-
 ipalib/install/certstore.py                 |  49 +------------
 ipapython/certdb.py                         | 109 ++++++++++++++++++++++++++--
 ipaserver/install/installutils.py           |   2 +-
 ipaserver/install/ipa_cacert_manage.py      |   6 +-
 ipaserver/install/ipa_server_certinstall.py |   4 +-
 ipaserver/install/plugins/upload_cacrt.py   |   2 +-
 ipaserver/install/server/upgrade.py         |   2 +-
 8 files changed, 117 insertions(+), 59 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 7a54b4c7e05a35b40b17e46b75ff8d47db1b2d23..bb31defc0e2bdca044e68ae067f42fb3bd41a57f 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -125,7 +125,7 @@ def _main():
 
             # Remove old external CA certificates
             for ca_nick, ca_flags in db.list_certs():
-                if 'u' in ca_flags:
+                if ca_flags.has_key:
                     continue
                 # Delete *all* certificates that use the nickname
                 while True:
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
index 310e08ed2273badba6fde4ada0ee52501fddc72c..bc2079fb12873444cbe6796eebfdfcfebd0e284d 100644
--- a/ipalib/install/certstore.py
+++ b/ipalib/install/certstore.py
@@ -25,7 +25,7 @@ LDAP shared certificate store.
 from pyasn1.error import PyAsn1Error
 
 from ipapython.dn import DN
-from ipapython.certdb import get_ca_nickname
+from ipapython.certdb import get_ca_nickname, TrustFlags
 from ipalib import errors, x509
 
 def _parse_cert(dercert):
@@ -344,57 +344,14 @@ def trust_flags_to_key_policy(trust_flags):
     """
     Convert certutil trust flags to certificate store key policy.
     """
-    if 'p' in trust_flags:
-        if 'C' in trust_flags or 'P' in trust_flags or 'T' in trust_flags:
-            raise ValueError("cannot be both trusted and not trusted")
-        return False, None, None
-    elif 'C' in trust_flags or 'T' in trust_flags:
-        if 'P' in trust_flags:
-            raise ValueError("cannot be both CA and not CA")
-        ca = True
-    elif 'P' in trust_flags:
-        ca = False
-    else:
-        return None, None, set()
-
-    trust_flags = trust_flags.split(',')
-    ext_key_usage = set()
-    for i, kp in enumerate((x509.EKU_SERVER_AUTH,
-                            x509.EKU_EMAIL_PROTECTION,
-                            x509.EKU_CODE_SIGNING)):
-        if 'C' in trust_flags[i] or 'P' in trust_flags[i]:
-            ext_key_usage.add(kp)
-    if 'T' in trust_flags[0]:
-        ext_key_usage.add(x509.EKU_CLIENT_AUTH)
-
-    return True, ca, ext_key_usage
+    return trust_flags[1:]
 
 
 def key_policy_to_trust_flags(trusted, ca, ext_key_usage):
     """
     Convert certificate store key policy to certutil trust flags.
     """
-    if trusted is False:
-        return 'p,p,p'
-    elif trusted is None or ca is None:
-        return ',,'
-    elif ext_key_usage is None:
-        if ca:
-            return 'CT,C,C'
-        else:
-            return 'P,P,P'
-
-    trust_flags = ['', '', '']
-    for i, kp in enumerate((x509.EKU_SERVER_AUTH,
-                            x509.EKU_EMAIL_PROTECTION,
-                            x509.EKU_CODE_SIGNING)):
-        if kp in ext_key_usage:
-            trust_flags[i] += ('C' if ca else 'P')
-    if ca and x509.EKU_CLIENT_AUTH in ext_key_usage:
-        trust_flags[0] += 'T'
-
-    trust_flags = ','.join(trust_flags)
-    return trust_flags
+    return TrustFlags(False, trusted, ca, ext_key_usage)
 
 
 def put_ca_cert_nss(ldap, base_dn, dercert, nickname, trust_flags,
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 88dcae750de5881ae7b4921ca1ae23daa9c5d4b0..af95eba3cbad1c354615457ed0501f97bff0e22d 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -17,6 +17,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import collections
 import os
 import io
 import pwd
@@ -52,10 +53,26 @@ CA_NICKNAME_FMT = "%s IPA CA"
 
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
 
-EMPTY_TRUST_FLAGS = ',,'
-IPA_CA_TRUST_FLAGS = 'CT,C,C'
-EXTERNAL_CA_TRUST_FLAGS = 'C,,'
-TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages')
+
+EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None)
+
+IPA_CA_TRUST_FLAGS = TrustFlags(
+    False, True, True, frozenset({
+        x509.EKU_SERVER_AUTH,
+        x509.EKU_CLIENT_AUTH,
+        x509.EKU_CODE_SIGNING,
+        x509.EKU_EMAIL_PROTECTION,
+    }),
+)
+
+EXTERNAL_CA_TRUST_FLAGS = TrustFlags(
+    False, True, True, frozenset({x509.EKU_SERVER_AUTH}),
+)
+
+TRUSTED_PEER_TRUST_FLAGS = TrustFlags(
+    False, True, False, frozenset({x509.EKU_SERVER_AUTH}),
+)
 
 
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
@@ -87,6 +104,82 @@ def get_file_cont(slot, token, filename):
         return f.read()
 
 
+def parse_trust_flags(trust_flags):
+    """
+    Convert certutil trust flags to TrustFlags object.
+    """
+    has_key = 'u' in trust_flags
+
+    if 'p' in trust_flags:
+        if 'C' in trust_flags or 'P' in trust_flags or 'T' in trust_flags:
+            raise ValueError("cannot be both trusted and not trusted")
+        return False, None, None
+    elif 'C' in trust_flags or 'T' in trust_flags:
+        if 'P' in trust_flags:
+            raise ValueError("cannot be both CA and not CA")
+        ca = True
+    elif 'P' in trust_flags:
+        ca = False
+    else:
+        return TrustFlags(has_key, None, None, frozenset())
+
+    trust_flags = trust_flags.split(',')
+    ext_key_usage = set()
+    for i, kp in enumerate((x509.EKU_SERVER_AUTH,
+                            x509.EKU_EMAIL_PROTECTION,
+                            x509.EKU_CODE_SIGNING)):
+        if 'C' in trust_flags[i] or 'P' in trust_flags[i]:
+            ext_key_usage.add(kp)
+    if 'T' in trust_flags[0]:
+        ext_key_usage.add(x509.EKU_CLIENT_AUTH)
+
+    return TrustFlags(has_key, True, ca, frozenset(ext_key_usage))
+
+
+def unparse_trust_flags(trust_flags):
+    """
+    Convert TrustFlags object to certutil trust flags.
+    """
+    has_key, trusted, ca, ext_key_usage = trust_flags
+
+    if trusted is False:
+        if has_key:
+            return 'pu,pu,pu'
+        else:
+            return 'p,p,p'
+    elif trusted is None or ca is None:
+        if has_key:
+            return 'u,u,u'
+        else:
+            return ',,'
+    elif ext_key_usage is None:
+        if ca:
+            if has_key:
+                return 'CTu,Cu,Cu'
+            else:
+                return 'CT,C,C'
+        else:
+            if has_key:
+                return 'Pu,Pu,Pu'
+            else:
+                return 'P,P,P'
+
+    trust_flags = ['', '', '']
+    for i, kp in enumerate((x509.EKU_SERVER_AUTH,
+                            x509.EKU_EMAIL_PROTECTION,
+                            x509.EKU_CODE_SIGNING)):
+        if kp in ext_key_usage:
+            trust_flags[i] += ('C' if ca else 'P')
+    if ca and x509.EKU_CLIENT_AUTH in ext_key_usage:
+        trust_flags[0] += 'T'
+    if has_key:
+        for i in range(3):
+            trust_flags[i] += 'u'
+
+    trust_flags = ','.join(trust_flags)
+    return trust_flags
+
+
 class NSSDatabase(object):
     """A general-purpose wrapper around a NSS cert database
 
@@ -205,7 +298,9 @@ class NSSDatabase(object):
         for cert in certs:
             match = re.match(r'^(.+?)\s+(\w*,\w*,\w*)\s*$', cert)
             if match:
-                certlist.append(match.groups())
+                nickname = match.group(1)
+                trust_flags = parse_trust_flags(match.group(2))
+                certlist.append((nickname, trust_flags))
 
         return tuple(certlist)
 
@@ -218,7 +313,7 @@ class NSSDatabase(object):
         """
         server_certs = []
         for name, flags in self.list_certs():
-            if 'u' in flags:
+            if flags.has_key:
                 server_certs.append((name, flags))
 
         return server_certs
@@ -477,6 +572,7 @@ class NSSDatabase(object):
                 "No need to add trust for built-in root CAs, skipping %s" %
                 root_nickname)
         else:
+            trust_flags = unparse_trust_flags(trust_flags)
             try:
                 self.run_certutil(["-M", "-n", root_nickname,
                                    "-t", trust_flags])
@@ -538,6 +634,7 @@ class NSSDatabase(object):
                              location)
 
     def add_cert(self, cert, nick, flags, pem=False):
+        flags = unparse_trust_flags(flags)
         args = ["-A", "-n", nick, "-t", flags]
         if pem:
             args.append("-a")
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 0445a1d3c403fab690e5afb7c8801ed85773b1e0..5bce9894780bd920db11196b925492a7fe8f22d0 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1034,7 +1034,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
                 raise ScriptError(str(e))
 
         for nickname, trust_flags in nssdb.list_certs():
-            if 'u' in trust_flags:
+            if trust_flags.has_key:
                 key_nickname = nickname
                 continue
             nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 88b40d45e10281d272882d21e06f5d53cf5a701d..d28a5966f054141819463cdb1dfef48ee1e46e92 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -26,7 +26,9 @@ import gssapi
 
 from ipalib.install import certmonger, certstore
 from ipapython import admintool, ipautil
-from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
+from ipapython.certdb import (EMPTY_TRUST_FLAGS,
+                              EXTERNAL_CA_TRUST_FLAGS,
+                              parse_trust_flags)
 from ipapython.dn import DN
 from ipaplatform.paths import paths
 from ipalib import api, errors, x509
@@ -366,6 +368,8 @@ class CACertManage(admintool.AdminTool):
             len(trust_flags.split(',')) != 3):
             raise admintool.ScriptError("Invalid trust flags")
 
+        trust_flags = parse_trust_flags(trust_flags)
+
         try:
             certstore.put_ca_cert_nss(
                 api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags)
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index ee93535edfd258fe71099881c54c413516b24d17..9f2cd9573a156949ae979e7b69fbd23adaf2feb8 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -170,13 +170,13 @@ class ServerCertInstall(admintool.AdminTool):
             # this leaves only the server certs in the temp db
             tempnssdb.import_pkcs12(pkcs12_filename, pkcs12_pin)
             for nickname, flags in tempnssdb.list_certs():
-                if 'u' not in flags:
+                if not flags.has_key:
                     while tempnssdb.has_nickname(nickname):
                         tempnssdb.delete_cert(nickname)
 
             # import all the CA certs from nssdb into the temp db
             for nickname, flags in nssdb.list_certs():
-                if 'u' not in flags:
+                if not flags.has_key:
                     cert = nssdb.get_cert_from_db(nickname)
                     tempnssdb.add_cert(cert, nickname, flags)
 
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 7d294ff971bd109e5fbb3570bfff0198f24b68d3..73cc91d8f6dd5811ec74efecd6c885cd8937a0f2 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -52,7 +52,7 @@ class update_upload_cacrt(Updater):
         ldap = self.api.Backend.ldap2
 
         for nickname, trust_flags in db.list_certs():
-            if 'u' in trust_flags:
+            if trust_flags.has_key:
                 continue
             if nickname == ca_nickname and ca_enabled:
                 trust_flags = certdb.IPA_CA_TRUST_FLAGS
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 73a4f1108a56a766cdbbcb93d7050482a8264a75..c244958f4cddba0d1edded5165a295b1e1ee2b8a 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1547,7 +1547,7 @@ def disable_httpd_system_trust(http):
 
     db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
     for nickname, trust_flags in db.list_certs():
-        if 'u' not in trust_flags:
+        if not trust_flags.has_key:
             cert = db.get_cert_from_db(nickname, pem=False)
             if cert:
                 ca_certs.append((cert, nickname, trust_flags))
-- 
2.9.4