|
 |
e0d192 |
From 8f06b5064c30393bf1ce7c4d28e1f3284e8cea07 Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
e0d192 |
Date: Fri, 4 Dec 2020 10:15:11 -0600
|
|
|
e0d192 |
Subject: [PATCH] Fix 01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
|
|
|
e0d192 |
The upgrade script that is supposed to add caAuditSigningCert
|
|
|
e0d192 |
profile into existing instances failed since the actual profile
|
|
|
e0d192 |
configuration is packaged in pki-ca which is installed after
|
|
|
e0d192 |
the upgrade is done.
|
|
|
e0d192 |
|
|
|
e0d192 |
To fix the problem, the upgrade script has been modified to
|
|
|
e0d192 |
embed the content of the profile configuration.
|
|
|
e0d192 |
|
|
|
e0d192 |
https://bugzilla.redhat.com/show_bug.cgi?id=1883639
|
|
|
e0d192 |
(cherry picked from commit 8533fdc51695d5965b7256ffbb73fd928097f7fd)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
.../10.5.18/01-AddProfileCaAuditSigningCert | 87 +++++++++++++++++++++-
|
|
|
e0d192 |
1 file changed, 86 insertions(+), 1 deletion(-)
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert b/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
index 5cec8d9..c142325 100644
|
|
|
e0d192 |
--- a/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
+++ b/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
@@ -17,6 +17,88 @@ logger = logging.getLogger(__name__)
|
|
|
e0d192 |
|
|
|
e0d192 |
class AddProfileCaAuditSigningCert(pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
e0d192 |
|
|
|
e0d192 |
+ caAuditSigningCert = """desc=This certificate profile is for enrolling audit signing certificates.
|
|
|
e0d192 |
+visible=true
|
|
|
e0d192 |
+enable=true
|
|
|
e0d192 |
+enableBy=admin
|
|
|
e0d192 |
+auth.instance_id=
|
|
|
e0d192 |
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
|
|
|
e0d192 |
+name=Manual Audit Signing Certificate Enrollment
|
|
|
e0d192 |
+input.list=i1,i2
|
|
|
e0d192 |
+input.i1.class_id=certReqInputImpl
|
|
|
e0d192 |
+input.i2.class_id=submitterInfoInputImpl
|
|
|
e0d192 |
+output.list=o1
|
|
|
e0d192 |
+output.o1.class_id=certOutputImpl
|
|
|
e0d192 |
+policyset.list=auditSigningCertSet
|
|
|
e0d192 |
+policyset.auditSigningCertSet.list=1,2,3,4,5,6,9
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.constraint.params.accept=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.default.name=Subject Name Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.default.params.name=
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.name=Validity Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.params.range=720
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.default.name=Validity Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.default.params.range=720
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.default.params.startTime=0
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.constraint.name=Key Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.constraint.params.keyType=-
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.default.name=Key Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.4.constraint.name=No Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.constraint.name=No Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.name=AIA Extension Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.name=Key Usage Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.constraint.name=No Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.default.name=Signing Alg
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.default.params.signingAlg=-
|
|
|
e0d192 |
+"""
|
|
|
e0d192 |
+
|
|
|
e0d192 |
def __init__(self):
|
|
|
e0d192 |
super(AddProfileCaAuditSigningCert, self).__init__()
|
|
|
e0d192 |
self.message = 'Add caAuditSigningCert profile'
|
|
|
e0d192 |
@@ -46,7 +128,10 @@ class AddProfileCaAuditSigningCert(pki.server.upgrade.PKIServerUpgradeScriptlet)
|
|
|
e0d192 |
if not os.path.exists(path):
|
|
|
e0d192 |
logger.info('Creating caAuditSigningCert.cfg')
|
|
|
e0d192 |
self.backup(path)
|
|
|
e0d192 |
- shutil.copyfile('/usr/share/pki/ca/profiles/ca/caAuditSigningCert.cfg', path)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ with open(path, 'w') as outfile:
|
|
|
e0d192 |
+ outfile.write(caAuditSigningCert)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
os.chown(path, instance.uid, instance.gid)
|
|
|
e0d192 |
os.chmod(path, 0o0660)
|
|
|
e0d192 |
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|