|
 |
ac7d03 |
From 036605789d6b34f5592d2ef38723eeb87e6ae21a Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Date: Tue, 28 Mar 2017 13:54:16 +0200
|
|
|
ac7d03 |
Subject: [PATCH] Generate PIN for PKI to help Dogtag in FIPS
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Dogtag is currently unable to generate a PIN it could use for
|
|
|
ac7d03 |
an NSS database creation in FIPS. Generate it for them so that
|
|
|
ac7d03 |
we don't fail.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6824
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipaserver/install/cainstance.py | 6 +++++-
|
|
|
ac7d03 |
ipaserver/install/krainstance.py | 6 +++++-
|
|
|
ac7d03 |
2 files changed, 10 insertions(+), 2 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
ac7d03 |
index f0d3c236810d01f08192b239c0edb362ed78e071..92bb760d39d23fedb40b7e3c5bea53381f1c87ad 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/cainstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/cainstance.py
|
|
|
ac7d03 |
@@ -541,6 +541,10 @@ class CAInstance(DogtagInstance):
|
|
|
ac7d03 |
# CA key algorithm
|
|
|
ac7d03 |
config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ # generate pin which we know can be used for FIPS NSS database
|
|
|
ac7d03 |
+ pki_pin = ipautil.ipa_generate_password()
|
|
|
ac7d03 |
+ config.set("CA", "pki_pin", pki_pin)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
if self.clone:
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if self.no_db_setup:
|
|
|
ac7d03 |
@@ -613,7 +617,7 @@ class CAInstance(DogtagInstance):
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
DogtagInstance.spawn_instance(
|
|
|
ac7d03 |
self, cfg_file,
|
|
|
ac7d03 |
- nolog_list=(self.dm_password, self.admin_password)
|
|
|
ac7d03 |
+ nolog_list=(self.dm_password, self.admin_password, pki_pin)
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
finally:
|
|
|
ac7d03 |
os.remove(cfg_file)
|
|
|
ac7d03 |
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
|
|
|
ac7d03 |
index b41ccb6fa6517f53ad1f83389b45795f0cd135bc..34d667857a8055752e258a591af983190f33daa5 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/krainstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/krainstance.py
|
|
|
ac7d03 |
@@ -235,6 +235,10 @@ class KRAInstance(DogtagInstance):
|
|
|
ac7d03 |
"KRA", "pki_share_dbuser_dn",
|
|
|
ac7d03 |
str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'))))
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ # generate pin which we know can be used for FIPS NSS database
|
|
|
ac7d03 |
+ pki_pin = ipautil.ipa_generate_password()
|
|
|
ac7d03 |
+ config.set("KRA", "pki_pin", pki_pin)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
_p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if self.clone:
|
|
|
ac7d03 |
@@ -275,7 +279,7 @@ class KRAInstance(DogtagInstance):
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
DogtagInstance.spawn_instance(
|
|
|
ac7d03 |
self, cfg_file,
|
|
|
ac7d03 |
- nolog_list=(self.dm_password, self.admin_password)
|
|
|
ac7d03 |
+ nolog_list=(self.dm_password, self.admin_password, pki_pin)
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
finally:
|
|
|
ac7d03 |
os.remove(p12_tmpfile_name)
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.1
|
|
|
ac7d03 |
|