|
 |
ac7d03 |
From e45762bf5b94c064668752160271a00af854b6cf Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
ac7d03 |
Date: Wed, 3 May 2017 06:38:20 +0000
|
|
|
ac7d03 |
Subject: [PATCH] install: trust IPA CA for PKINIT
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
|
|
|
ac7d03 |
the IPA certificate store.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6831
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipalib/x509.py | 2 ++
|
|
|
ac7d03 |
ipapython/certdb.py | 2 ++
|
|
|
ac7d03 |
ipaserver/install/dsinstance.py | 31 +++++++++++++++++++++++-------
|
|
|
ac7d03 |
ipaserver/install/plugins/upload_cacrt.py | 6 +++++-
|
|
|
ac7d03 |
ipaserver/install/server/install.py | 9 ++++++---
|
|
|
ac7d03 |
ipaserver/install/server/replicainstall.py | 1 +
|
|
|
ac7d03 |
6 files changed, 40 insertions(+), 11 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipalib/x509.py b/ipalib/x509.py
|
|
|
ac7d03 |
index f65cf816c9ead50a43e08a3b982f428112e7c1b3..5d1a7b8f4b99e057d4732d388efb0f27def07085 100644
|
|
|
ac7d03 |
--- a/ipalib/x509.py
|
|
|
ac7d03 |
+++ b/ipalib/x509.py
|
|
|
ac7d03 |
@@ -64,6 +64,8 @@ EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
|
|
|
ac7d03 |
EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
|
|
|
ac7d03 |
EKU_CODE_SIGNING = '1.3.6.1.5.5.7.3.3'
|
|
|
ac7d03 |
EKU_EMAIL_PROTECTION = '1.3.6.1.5.5.7.3.4'
|
|
|
ac7d03 |
+EKU_PKINIT_CLIENT_AUTH = '1.3.6.1.5.2.3.4'
|
|
|
ac7d03 |
+EKU_PKINIT_KDC = '1.3.6.1.5.2.3.5'
|
|
|
ac7d03 |
EKU_ANY = '2.5.29.37.0'
|
|
|
ac7d03 |
EKU_PLACEHOLDER = '1.3.6.1.4.1.3319.6.10.16'
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
|
|
|
ac7d03 |
index af95eba3cbad1c354615457ed0501f97bff0e22d..1ee2603653452577476cf413e6af951cd29c273e 100644
|
|
|
ac7d03 |
--- a/ipapython/certdb.py
|
|
|
ac7d03 |
+++ b/ipapython/certdb.py
|
|
|
ac7d03 |
@@ -63,6 +63,8 @@ IPA_CA_TRUST_FLAGS = TrustFlags(
|
|
|
ac7d03 |
x509.EKU_CLIENT_AUTH,
|
|
|
ac7d03 |
x509.EKU_CODE_SIGNING,
|
|
|
ac7d03 |
x509.EKU_EMAIL_PROTECTION,
|
|
|
ac7d03 |
+ x509.EKU_PKINIT_CLIENT_AUTH,
|
|
|
ac7d03 |
+ x509.EKU_PKINIT_KDC,
|
|
|
ac7d03 |
}),
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
index 0e4ae4bfe6f1445de167df8fe5328d6a421e416f..39248edb285ee4d792b4500d83d88b24f5732d10 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
@@ -31,8 +31,11 @@ import fnmatch
|
|
|
ac7d03 |
|
|
|
ac7d03 |
import ldap
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+from ipalib import x509
|
|
|
ac7d03 |
from ipalib.install import certmonger, certstore
|
|
|
ac7d03 |
-from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
+from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
|
|
|
ac7d03 |
+ EXTERNAL_CA_TRUST_FLAGS,
|
|
|
ac7d03 |
+ TrustFlags)
|
|
|
ac7d03 |
from ipapython.ipa_log_manager import root_logger
|
|
|
ac7d03 |
from ipapython import ipautil, ipaldap
|
|
|
ac7d03 |
from ipapython import dogtag
|
|
|
ac7d03 |
@@ -289,7 +292,8 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def init_info(self, realm_name, fqdn, domain_name, dm_password,
|
|
|
ac7d03 |
subject_base, ca_subject,
|
|
|
ac7d03 |
- idstart, idmax, pkcs12_info, ca_file=None):
|
|
|
ac7d03 |
+ idstart, idmax, pkcs12_info, ca_file=None,
|
|
|
ac7d03 |
+ setup_pkinit=False):
|
|
|
ac7d03 |
self.realm = realm_name.upper()
|
|
|
ac7d03 |
self.serverid = installutils.realm_to_serverid(self.realm)
|
|
|
ac7d03 |
self.suffix = ipautil.realm_to_suffix(self.realm)
|
|
|
ac7d03 |
@@ -303,6 +307,7 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
self.pkcs12_info = pkcs12_info
|
|
|
ac7d03 |
if pkcs12_info:
|
|
|
ac7d03 |
self.ca_is_configured = False
|
|
|
ac7d03 |
+ self.setup_pkinit = setup_pkinit
|
|
|
ac7d03 |
self.ca_file = ca_file
|
|
|
ac7d03 |
|
|
|
ac7d03 |
self.__setup_sub_dict()
|
|
|
ac7d03 |
@@ -311,11 +316,12 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
dm_password, pkcs12_info=None,
|
|
|
ac7d03 |
idstart=1100, idmax=999999,
|
|
|
ac7d03 |
subject_base=None, ca_subject=None,
|
|
|
ac7d03 |
- hbac_allow=True, ca_file=None):
|
|
|
ac7d03 |
+ hbac_allow=True, ca_file=None, setup_pkinit=False):
|
|
|
ac7d03 |
self.init_info(
|
|
|
ac7d03 |
realm_name, fqdn, domain_name, dm_password,
|
|
|
ac7d03 |
subject_base, ca_subject,
|
|
|
ac7d03 |
- idstart, idmax, pkcs12_info, ca_file=ca_file)
|
|
|
ac7d03 |
+ idstart, idmax, pkcs12_info, ca_file=ca_file,
|
|
|
ac7d03 |
+ setup_pkinit=setup_pkinit)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
self.__common_setup()
|
|
|
ac7d03 |
self.step("restarting directory server", self.__restart_instance)
|
|
|
ac7d03 |
@@ -354,7 +360,8 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
domain_name, dm_password,
|
|
|
ac7d03 |
subject_base, ca_subject,
|
|
|
ac7d03 |
api, pkcs12_info=None, ca_file=None,
|
|
|
ac7d03 |
- ca_is_configured=None, promote=False):
|
|
|
ac7d03 |
+ ca_is_configured=None, promote=False,
|
|
|
ac7d03 |
+ setup_pkinit=False):
|
|
|
ac7d03 |
# idstart and idmax are configured so that the range is seen as
|
|
|
ac7d03 |
# depleted by the DNA plugin and the replica will go and get a
|
|
|
ac7d03 |
# new range from the master.
|
|
|
ac7d03 |
@@ -372,7 +379,8 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
idstart=idstart,
|
|
|
ac7d03 |
idmax=idmax,
|
|
|
ac7d03 |
pkcs12_info=pkcs12_info,
|
|
|
ac7d03 |
- ca_file=ca_file
|
|
|
ac7d03 |
+ ca_file=ca_file,
|
|
|
ac7d03 |
+ setup_pkinit=setup_pkinit,
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
self.master_fqdn = master_fqdn
|
|
|
ac7d03 |
if ca_is_configured is not None:
|
|
|
ac7d03 |
@@ -882,8 +890,17 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
nickname = self.cacert_name
|
|
|
ac7d03 |
cert = dsdb.get_cert_from_db(nickname, pem=False)
|
|
|
ac7d03 |
+ cacert_flags = trust_flags[nickname]
|
|
|
ac7d03 |
+ if self.setup_pkinit:
|
|
|
ac7d03 |
+ cacert_flags = TrustFlags(
|
|
|
ac7d03 |
+ cacert_flags.has_key,
|
|
|
ac7d03 |
+ cacert_flags.trusted,
|
|
|
ac7d03 |
+ cacert_flags.ca,
|
|
|
ac7d03 |
+ (cacert_flags.usages |
|
|
|
ac7d03 |
+ {x509.EKU_PKINIT_CLIENT_AUTH, x509.EKU_PKINIT_KDC}),
|
|
|
ac7d03 |
+ )
|
|
|
ac7d03 |
certstore.put_ca_cert_nss(conn, self.suffix, cert, nickname,
|
|
|
ac7d03 |
- trust_flags[nickname],
|
|
|
ac7d03 |
+ cacert_flags,
|
|
|
ac7d03 |
config_ipa=self.ca_is_configured,
|
|
|
ac7d03 |
config_compat=self.master_fqdn is None)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ac7d03 |
index 73cc91d8f6dd5811ec74efecd6c885cd8937a0f2..a1957ca5b675b86f0df36dc820ee31305f54f863 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ac7d03 |
@@ -79,7 +79,11 @@ class update_upload_cacrt(Updater):
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
ldap.add_entry(entry)
|
|
|
ac7d03 |
except errors.DuplicateEntry:
|
|
|
ac7d03 |
- pass
|
|
|
ac7d03 |
+ if nickname == ca_nickname and ca_enabled:
|
|
|
ac7d03 |
+ try:
|
|
|
ac7d03 |
+ ldap.update_entry(entry)
|
|
|
ac7d03 |
+ except errors.EmptyModlist:
|
|
|
ac7d03 |
+ pass
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if ca_cert:
|
|
|
ac7d03 |
dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'),
|
|
|
ac7d03 |
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
|
|
ac7d03 |
index 0ce60e964cb210708e56fb43a5b70f8e3405caf2..25c21db721c58388ae8fd6ab1fbc443d513a4324 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/server/install.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/server/install.py
|
|
|
ac7d03 |
@@ -737,7 +737,8 @@ def install(installer):
|
|
|
ac7d03 |
idstart=options.idstart, idmax=options.idmax,
|
|
|
ac7d03 |
subject_base=options.subject_base,
|
|
|
ac7d03 |
ca_subject=options.ca_subject,
|
|
|
ac7d03 |
- hbac_allow=not options.no_hbac_allow)
|
|
|
ac7d03 |
+ hbac_allow=not options.no_hbac_allow,
|
|
|
ac7d03 |
+ setup_pkinit=not options.no_pkinit)
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
ds = dsinstance.DsInstance(fstore=fstore,
|
|
|
ac7d03 |
domainlevel=options.domainlevel,
|
|
|
ac7d03 |
@@ -748,7 +749,8 @@ def install(installer):
|
|
|
ac7d03 |
idstart=options.idstart, idmax=options.idmax,
|
|
|
ac7d03 |
subject_base=options.subject_base,
|
|
|
ac7d03 |
ca_subject=options.ca_subject,
|
|
|
ac7d03 |
- hbac_allow=not options.no_hbac_allow)
|
|
|
ac7d03 |
+ hbac_allow=not options.no_hbac_allow,
|
|
|
ac7d03 |
+ setup_pkinit=not options.no_pkinit)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
ntpinstance.ntp_ldap_enable(host_name, ds.suffix, realm_name)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
@@ -759,7 +761,8 @@ def install(installer):
|
|
|
ac7d03 |
installer._ds = ds
|
|
|
ac7d03 |
ds.init_info(
|
|
|
ac7d03 |
realm_name, host_name, domain_name, dm_password,
|
|
|
ac7d03 |
- options.subject_base, options.ca_subject, 1101, 1100, None)
|
|
|
ac7d03 |
+ options.subject_base, options.ca_subject, 1101, 1100, None,
|
|
|
ac7d03 |
+ setup_pkinit=not options.no_pkinit)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
krb = krbinstance.KrbInstance(fstore)
|
|
|
ac7d03 |
if not options.external_cert_files:
|
|
|
ac7d03 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
index fb738cb9f590f3f9595de92ef025c6032e9343f8..c19edceec42845f3169adc923762f700739232f2 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
@@ -107,6 +107,7 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,
|
|
|
ac7d03 |
ca_file=ca_file,
|
|
|
ac7d03 |
promote=promote, # we need promote because of replication setup
|
|
|
ac7d03 |
api=remote_api,
|
|
|
ac7d03 |
+ setup_pkinit=not options.no_pkinit,
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
return ds
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|