|
 |
ac7d03 |
From 997ebc0f56963769bdcbeda60a2dca222c884b1e Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
ac7d03 |
Date: Thu, 27 Apr 2017 09:57:45 +0200
|
|
|
ac7d03 |
Subject: [PATCH] certdb, certs: make trust flags argument mandatory
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Make the trust flags argument mandatory in all functions in `certdb` and
|
|
|
ac7d03 |
`certs`.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6831
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipapython/certdb.py | 4 +---
|
|
|
ac7d03 |
ipaserver/install/certs.py | 11 +++++------
|
|
|
ac7d03 |
ipaserver/install/dsinstance.py | 2 +-
|
|
|
ac7d03 |
ipaserver/install/httpinstance.py | 6 ++++--
|
|
|
ac7d03 |
ipaserver/install/installutils.py | 5 +++--
|
|
|
ac7d03 |
ipaserver/install/server/replicainstall.py | 4 ++--
|
|
|
ac7d03 |
6 files changed, 16 insertions(+), 16 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
|
|
|
ac7d03 |
index 44c7bf3197c198295035742e6db48527d76e85a6..88dcae750de5881ae7b4921ca1ae23daa9c5d4b0 100644
|
|
|
ac7d03 |
--- a/ipapython/certdb.py
|
|
|
ac7d03 |
+++ b/ipapython/certdb.py
|
|
|
ac7d03 |
@@ -471,14 +471,12 @@ class NSSDatabase(object):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
self.import_pkcs12(out_file.name, out_password)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- def trust_root_cert(self, root_nickname, trust_flags=None):
|
|
|
ac7d03 |
+ def trust_root_cert(self, root_nickname, trust_flags):
|
|
|
ac7d03 |
if root_nickname[:7] == "Builtin":
|
|
|
ac7d03 |
root_logger.debug(
|
|
|
ac7d03 |
"No need to add trust for built-in root CAs, skipping %s" %
|
|
|
ac7d03 |
root_nickname)
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
- if trust_flags is None:
|
|
|
ac7d03 |
- trust_flags = EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
self.run_certutil(["-M", "-n", root_nickname,
|
|
|
ac7d03 |
"-t", trust_flags])
|
|
|
ac7d03 |
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
|
|
|
ac7d03 |
index f87e00eb5e9c14ed30d39ef9f6e86b6f24bb1c61..17b9ebad4a128e292e453af44ca9d63cfb1e6ea2 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/certs.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/certs.py
|
|
|
ac7d03 |
@@ -550,7 +550,7 @@ class CertDB(object):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
return root_nicknames
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- def trust_root_cert(self, root_nickname, trust_flags=None):
|
|
|
ac7d03 |
+ def trust_root_cert(self, root_nickname, trust_flags):
|
|
|
ac7d03 |
if root_nickname is None:
|
|
|
ac7d03 |
root_logger.debug("Unable to identify root certificate to trust. Continuing but things are likely to fail.")
|
|
|
ac7d03 |
return
|
|
|
ac7d03 |
@@ -600,14 +600,13 @@ class CertDB(object):
|
|
|
ac7d03 |
self.create_certdbs()
|
|
|
ac7d03 |
self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
|
|
|
ac7d03 |
- ca_file=None, trust_flags=None):
|
|
|
ac7d03 |
+ def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
|
|
|
ac7d03 |
+ ca_file, trust_flags):
|
|
|
ac7d03 |
"""Create a new NSS database using the certificates in a PKCS#12 file.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
pkcs12_fname: the filename of the PKCS#12 file
|
|
|
ac7d03 |
pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file
|
|
|
ac7d03 |
nickname: the nickname/friendly-name of the cert we are loading
|
|
|
ac7d03 |
- passwd: The password to use for the new NSS database we are creating
|
|
|
ac7d03 |
|
|
|
ac7d03 |
The global CA may be added as well in case it wasn't included in the
|
|
|
ac7d03 |
PKCS#12 file. Extra certs won't hurt in any case.
|
|
|
ac7d03 |
@@ -615,7 +614,7 @@ class CertDB(object):
|
|
|
ac7d03 |
The global CA may be specified in ca_file, as a PEM filename.
|
|
|
ac7d03 |
"""
|
|
|
ac7d03 |
self.create_noise_file()
|
|
|
ac7d03 |
- self.create_passwd_file(passwd)
|
|
|
ac7d03 |
+ self.create_passwd_file()
|
|
|
ac7d03 |
self.create_certdbs()
|
|
|
ac7d03 |
self.init_from_pkcs12(
|
|
|
ac7d03 |
pkcs12_fname,
|
|
|
ac7d03 |
@@ -624,7 +623,7 @@ class CertDB(object):
|
|
|
ac7d03 |
trust_flags=trust_flags)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
|
|
|
ac7d03 |
- ca_file=None, trust_flags=None):
|
|
|
ac7d03 |
+ ca_file, trust_flags):
|
|
|
ac7d03 |
self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
|
|
|
ac7d03 |
server_certs = self.find_server_certs()
|
|
|
ac7d03 |
if len(server_certs) == 0:
|
|
|
ac7d03 |
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
index 0db0368fa4b48495718afd779291ce164d1687c8..0e4ae4bfe6f1445de167df8fe5328d6a421e416f 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
@@ -769,7 +769,7 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
if self.ca_is_configured:
|
|
|
ac7d03 |
trust_flags = IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
- trust_flags = None
|
|
|
ac7d03 |
+ trust_flags = EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
|
|
|
ac7d03 |
ca_file=self.ca_file,
|
|
|
ac7d03 |
trust_flags=trust_flags)
|
|
|
ac7d03 |
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
index a6aeb21edc73783ff9a3f9b526409ea525aa66dd..c76a1a4e484c5777ced92761916c1c586e8b2d5d 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
@@ -32,7 +32,9 @@ import six
|
|
|
ac7d03 |
from augeas import Augeas
|
|
|
ac7d03 |
|
|
|
ac7d03 |
from ipalib.install import certmonger
|
|
|
ac7d03 |
-from ipapython.certdb import IPA_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS
|
|
|
ac7d03 |
+from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
|
|
|
ac7d03 |
+ EXTERNAL_CA_TRUST_FLAGS,
|
|
|
ac7d03 |
+ TRUSTED_PEER_TRUST_FLAGS)
|
|
|
ac7d03 |
from ipaserver.install import service
|
|
|
ac7d03 |
from ipaserver.install import certs
|
|
|
ac7d03 |
from ipaserver.install import installutils
|
|
|
ac7d03 |
@@ -384,7 +386,7 @@ class HTTPInstance(service.Service):
|
|
|
ac7d03 |
if self.ca_is_configured:
|
|
|
ac7d03 |
trust_flags = IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
- trust_flags = None
|
|
|
ac7d03 |
+ trust_flags = EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
|
|
|
ac7d03 |
ca_file=self.ca_file,
|
|
|
ac7d03 |
trust_flags=trust_flags)
|
|
|
ac7d03 |
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
|
|
|
ac7d03 |
index b6f01489ccc65dcbc360929e0a7b315b074df8ce..0445a1d3c403fab690e5afb7c8801ed85773b1e0 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/installutils.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/installutils.py
|
|
|
ac7d03 |
@@ -49,6 +49,7 @@ from ipalib.install.kinit import kinit_password
|
|
|
ac7d03 |
import ipaplatform
|
|
|
ac7d03 |
from ipapython import ipautil, admintool, version
|
|
|
ac7d03 |
from ipapython.admintool import ScriptError
|
|
|
ac7d03 |
+from ipapython.certdb import EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
from ipapython.ipa_log_manager import root_logger
|
|
|
ac7d03 |
from ipapython.ipaldap import DIRMAN_DN, LDAPClient
|
|
|
ac7d03 |
from ipalib.util import validate_hostname
|
|
|
ac7d03 |
@@ -1036,7 +1037,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
|
|
|
ac7d03 |
if 'u' in trust_flags:
|
|
|
ac7d03 |
key_nickname = nickname
|
|
|
ac7d03 |
continue
|
|
|
ac7d03 |
- nssdb.trust_root_cert(nickname)
|
|
|
ac7d03 |
+ nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
# Check we have the whole cert chain & the CA is in it
|
|
|
ac7d03 |
trust_chain = list(reversed(nssdb.get_trust_chain(key_nickname)))
|
|
|
ac7d03 |
@@ -1176,7 +1177,7 @@ def load_external_cert(files, ca_subject):
|
|
|
ac7d03 |
cache[nickname] = (cert, subject, issuer)
|
|
|
ac7d03 |
if subject == ca_subject:
|
|
|
ac7d03 |
ca_nickname = nickname
|
|
|
ac7d03 |
- nssdb.trust_root_cert(nickname)
|
|
|
ac7d03 |
+ nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if ca_nickname is None:
|
|
|
ac7d03 |
raise ScriptError(
|
|
|
ac7d03 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
index 5e78e6faf51ded2fe7634f230c66aa15ae84bad4..fb738cb9f590f3f9595de92ef025c6032e9343f8 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
@@ -23,7 +23,7 @@ import ipaclient.install.ntpconf
|
|
|
ac7d03 |
from ipalib.install import certstore, sysrestore
|
|
|
ac7d03 |
from ipalib.install.kinit import kinit_keytab
|
|
|
ac7d03 |
from ipapython import ipaldap, ipautil
|
|
|
ac7d03 |
-from ipapython.certdb import IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
from ipapython.dn import DN
|
|
|
ac7d03 |
from ipapython.ipa_log_manager import root_logger
|
|
|
ac7d03 |
from ipapython.admintool import ScriptError
|
|
|
ac7d03 |
@@ -740,7 +740,7 @@ def install_check(installer):
|
|
|
ac7d03 |
if ca_enabled:
|
|
|
ac7d03 |
trust_flags = IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
- trust_flags = None
|
|
|
ac7d03 |
+ trust_flags = EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
|
|
|
ac7d03 |
ca_file=cafile,
|
|
|
ac7d03 |
trust_flags=trust_flags)
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|