From b98b21aaa709ccd91369e89a836f64c06c4593e8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH] certdb: add named trust flag constants
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
install/restart_scripts/restart_httpd | 3 ++-
install/tools/ipa-replica-conncheck | 4 +++-
ipaclient/install/client.py | 9 ++++++---
ipapython/certdb.py | 9 +++++++--
ipaserver/install/ca.py | 2 +-
ipaserver/install/certs.py | 5 +++--
ipaserver/install/dsinstance.py | 5 +++--
ipaserver/install/httpinstance.py | 5 +++--
ipaserver/install/ipa_cacert_manage.py | 16 +++++++++++-----
ipaserver/install/plugins/upload_cacrt.py | 2 +-
ipaserver/install/server/replicainstall.py | 3 ++-
ipaserver/install/server/upgrade.py | 4 ++--
12 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82b896b109c3859ac82c2d84ab27b839f72..cd7f12024ea3cab16e9c664687cd854e666c9570 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
- db.trust_root_cert(nickname, "P,,")
+ db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f32d9fa4a625cca3614e13e71d00f58e57e..528242268f9992e903781b76a379039d533853c0 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
- data, str(DN(ca_cert.subject)), 'C,,')
+ data,
+ str(DN(ca_cert.subject)),
+ certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692fd61be4a9f35a1398fb2af4b1d9e8689b..e78be904dd6bad491d9f3c1bb1e1410bc1779d45 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
- for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
- ('External CA cert', 'C,,')):
+ for nickname, trust_flags in (
+ ('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+ ('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
- tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+ tmp_db.add_cert(cert,
+ 'CA certificate %d' % (i + 1),
+ certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index ea73ec139df9013b860df447fcffd9038cf7c8f2..44c7bf3197c198295035742e6db48527d76e85a6 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,11 @@ CA_NICKNAME_FMT = "%s IPA CA"
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@@ -441,7 +446,7 @@ class NSSDatabase(object):
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
- self.add_cert(data, nickname, ',,')
+ self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
if extracted_key:
in_file = ipautil.write_tmp_file(
@@ -473,7 +478,7 @@ class NSSDatabase(object):
root_nickname)
else:
if trust_flags is None:
- trust_flags = 'C,,'
+ trust_flags = EXTERNAL_CA_TRUST_FLAGS
try:
self.run_certutil(["-M", "-n", root_nickname,
"-t", trust_flags])
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 8ee0fda23411563c70b7db5f39f43c2869c108b5..52cb20f1cb3612394544a6a41f10e9e939bc0657 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -320,7 +320,7 @@ def install_step_1(standalone, replica_config, options):
realm_name, nssdir=dirname, subject_base=subject_base)
cacert = cadb.get_cert_from_db('caSigningCert cert-pki-ca', pem=False)
nickname = certdb.get_ca_nickname(realm_name)
- trust_flags = 'CT,C,C'
+ trust_flags = certdb.IPA_CA_TRUST_FLAGS
dsdb.add_cert(cacert, nickname, trust_flags)
certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
cacert, nickname, trust_flags,
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 89e57134f24c505d669057eefffb7862b3b8179a..f87e00eb5e9c14ed30d39ef9f6e86b6f24bb1c61 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -37,6 +37,7 @@ from ipalib.install import certmonger, sysrestore
from ipapython.ipa_log_manager import root_logger
from ipapython import dogtag
from ipapython import ipautil
+from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS
from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase
from ipapython.dn import DN
from ipalib import pkcs10, x509, api
@@ -597,7 +598,7 @@ class CertDB(object):
# a new certificate database.
self.create_passwd_file()
self.create_certdbs()
- self.load_cacert(cacert_fname, 'CT,C,C')
+ self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
ca_file=None, trust_flags=None):
@@ -643,7 +644,7 @@ class CertDB(object):
cert, st = find_cert_from_txt(certs, st)
except RuntimeError:
break
- self.add_cert(cert, 'CA %s' % num, ',,', pem=True)
+ self.add_cert(cert, 'CA %s' % num, EMPTY_TRUST_FLAGS, pem=True)
num += 1
# We only handle one server cert
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 403fe8489fdd9e0dbf40dd4df3794b51185d45b9..0db0368fa4b48495718afd779291ce164d1687c8 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -32,6 +32,7 @@ import fnmatch
import ldap
from ipalib.install import certmonger, certstore
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil, ipaldap
from ipapython import dogtag
@@ -766,7 +767,7 @@ class DsInstance(service.Service):
)
if self.pkcs12_info:
if self.ca_is_configured:
- trust_flags = 'CT,C,C'
+ trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
@@ -1065,7 +1066,7 @@ class DsInstance(service.Service):
certdb.cacert_name = cacert_name
status = True
try:
- certdb.load_cacert(cacert_fname, 'C,,')
+ certdb.load_cacert(cacert_fname, EXTERNAL_CA_TRUST_FLAGS)
except ipautil.CalledProcessError as e:
root_logger.critical("Error importing CA cert file named [%s]: %s" %
(cacert_fname, str(e)))
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index ab688a85f157b1886842a91bb7d22f9ea99e3615..a6aeb21edc73783ff9a3f9b526409ea525aa66dd 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -32,6 +32,7 @@ import six
from augeas import Augeas
from ipalib.install import certmonger
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import service
from ipaserver.install import certs
from ipaserver.install import installutils
@@ -381,7 +382,7 @@ class HTTPInstance(service.Service):
if self.pkcs12_info:
if self.ca_is_configured:
- trust_flags = 'CT,C,C'
+ trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
@@ -403,7 +404,7 @@ class HTTPInstance(service.Service):
self.__set_mod_nss_nickname(nickname)
self.add_cert_to_service()
- db.trust_root_cert(nickname, "P,,")
+ db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
else:
if not self.promote:
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 3b732e4dcbb5c9b4dfbb9e3608bc7d7afd3e10c2..88b40d45e10281d272882d21e06f5d53cf5a701d 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -26,6 +26,7 @@ import gssapi
from ipalib.install import certmonger, certstore
from ipapython import admintool, ipautil
+from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
from ipapython.dn import DN
from ipaplatform.paths import paths
from ipalib import api, errors, x509
@@ -242,10 +243,10 @@ class CACertManage(admintool.AdminTool):
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
- tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,')
+ tmpdb.add_cert(old_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
try:
- tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,')
+ tmpdb.add_cert(new_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
@@ -253,7 +254,8 @@ class CACertManage(admintool.AdminTool):
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
data = ca_cert.public_bytes(serialization.Encoding.DER)
- tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,')
+ tmpdb.add_cert(
+ data, str(DN(ca_cert.subject)), EXTERNAL_CA_TRUST_FLAGS)
try:
tmpdb.verify_ca_cert_validity('IPA CA')
@@ -270,7 +272,11 @@ class CACertManage(admintool.AdminTool):
except RuntimeError:
break
certstore.put_ca_cert_nss(
- conn, api.env.basedn, ca_cert, nickname, ',,')
+ conn,
+ api.env.basedn,
+ ca_cert,
+ nickname,
+ EMPTY_TRUST_FLAGS)
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
@@ -343,7 +349,7 @@ class CACertManage(admintool.AdminTool):
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
- tmpdb.add_cert(cert, nickname, 'C,,')
+ tmpdb.add_cert(cert, nickname, EXTERNAL_CA_TRUST_FLAGS)
for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 425ea63976ec92a6d69492d90a1e970e528c4a26..7d294ff971bd109e5fbb3570bfff0198f24b68d3 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -55,7 +55,7 @@ class update_upload_cacrt(Updater):
if 'u' in trust_flags:
continue
if nickname == ca_nickname and ca_enabled:
- trust_flags = 'CT,C,C'
+ trust_flags = certdb.IPA_CA_TRUST_FLAGS
cert = db.get_cert_from_db(nickname, pem=False)
trust, _ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index aa8e67f60b8abe591d55a907c409b584c74d4541..5e78e6faf51ded2fe7634f230c66aa15ae84bad4 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -23,6 +23,7 @@ import ipaclient.install.ntpconf
from ipalib.install import certstore, sysrestore
from ipalib.install.kinit import kinit_keytab
from ipapython import ipaldap, ipautil
+from ipapython.certdb import IPA_CA_TRUST_FLAGS
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
from ipapython.admintool import ScriptError
@@ -737,7 +738,7 @@ def install_check(installer):
nssdir=tmp_db_dir,
subject_base=config.subject_base)
if ca_enabled:
- trust_flags = 'CT,C,C'
+ trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 5e5c83731d3d3415deb61271baa7865c62f60336..73a4f1108a56a766cdbbcb93d7050482a8264a75 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1389,7 +1389,7 @@ def fix_trust_flags():
nickname = certdb.get_ca_nickname(api.env.realm)
cert = db.get_cert_from_db(nickname)
if cert:
- db.trust_root_cert(nickname, 'CT,C,C')
+ db.trust_root_cert(nickname, certdb.IPA_CA_TRUST_FLAGS)
sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
@@ -1407,7 +1407,7 @@ def fix_server_cert_trust_flags():
sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
"NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
- db.trust_root_cert(sc_nickname, "P,,")
+ db.trust_root_cert(sc_nickname, certdb.TRUSTED_PEER_TRUST_FLAGS)
sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)
--
2.9.4