From 4a9ff573f1c9c91e1e2e1e2d7de70951b7333fb4 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 23 Jun 2017 15:47:48 +0200 Subject: [PATCH] smart card advise: use password when changing trust flags on HTTP cert This is to prevent NSS asking for database password when operating in FIPS 140 mode. https://pagure.io/freeipa/issue/7036 Reviewed-By: Florence Blanc-Renaud Reviewed-By: Alexander Bokovoy --- ipaserver/advise/plugins/smart_card_auth.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index 3ff94be1e8b108668989602b1b406a39d23ff501..5134db535e8f10e8cf850dbf0696b679aacec4f5 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -2,6 +2,8 @@ # Copyright (C) 2017 FreeIPA Contributors see COPYING for license # +import os + from ipalib.plugable import Registry from ipaplatform import services from ipaplatform.paths import paths @@ -172,6 +174,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): return fmt_line.format(directive=directive, filename=filename) def mark_httpd_cert_as_trusted(self): + httpd_nss_database_pwd_file = os.path.join( + paths.HTTPD_ALIAS_DIR, 'pwdfile.txt') self.log.comment( 'mark the HTTP certificate as trusted peer to avoid ' 'chicken-egg startup issue') @@ -181,8 +185,9 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): " cut -f 2 -d ' ')")) self.log.exit_on_failed_command( - 'certutil -M -n $http_cert_nick -d "{}" -t "Pu,u,u"'.format( - paths.HTTPD_ALIAS_DIR), + 'certutil -M -n $http_cert_nick -d "{}" -f {} -t "Pu,u,u"'.format( + paths.HTTPD_ALIAS_DIR, + httpd_nss_database_pwd_file), ['Can not set trust flags on HTTP certificate']) def _interpolate_nssnickname_directive_file_into_command(self, fmt_line): -- 2.9.4