From 4a9ff573f1c9c91e1e2e1e2d7de70951b7333fb4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 23 Jun 2017 15:47:48 +0200
Subject: [PATCH] smart card advise: use password when changing trust flags on
HTTP cert
This is to prevent NSS asking for database password when operating in
FIPS 140 mode.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/advise/plugins/smart_card_auth.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 3ff94be1e8b108668989602b1b406a39d23ff501..5134db535e8f10e8cf850dbf0696b679aacec4f5 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -2,6 +2,8 @@
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
+import os
+
from ipalib.plugable import Registry
from ipaplatform import services
from ipaplatform.paths import paths
@@ -172,6 +174,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
return fmt_line.format(directive=directive, filename=filename)
def mark_httpd_cert_as_trusted(self):
+ httpd_nss_database_pwd_file = os.path.join(
+ paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
self.log.comment(
'mark the HTTP certificate as trusted peer to avoid '
'chicken-egg startup issue')
@@ -181,8 +185,9 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
" cut -f 2 -d ' ')"))
self.log.exit_on_failed_command(
- 'certutil -M -n $http_cert_nick -d "{}" -t "Pu,u,u"'.format(
- paths.HTTPD_ALIAS_DIR),
+ 'certutil -M -n $http_cert_nick -d "{}" -f {} -t "Pu,u,u"'.format(
+ paths.HTTPD_ALIAS_DIR,
+ httpd_nss_database_pwd_file),
['Can not set trust flags on HTTP certificate'])
def _interpolate_nssnickname_directive_file_into_command(self, fmt_line):
--
2.9.4