IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-27 09:21:59 -06:00
Code Issues Packages Projects Releases Wiki Activity
bb09db2228
freeipa/ipaserver/install/certs.py

793 lines
29 KiB
Python
Raw Normal View History

Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
Set the license uniformly to GPLv2 only.
2008-02-04 14:15:52 -06:00
# published by the Free Software Foundation; version 2 only
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
User provided certs.
0000-12-31 18:09:24 -05:50
import os, stat, subprocess, re
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
import errno
Create temporary files used in self-signed cert requests in a temporary directory and ensure that it gets cleaned up when we're done with it. 458159
2008-08-14 17:36:35 -05:00
import tempfile
Minor bugs found while testing stuff. - wrong import in certs.py makes ipa-replica-manage fail - close the fs after the stash file is written so that the file is updated immediately and not when the fd is garbage collected
2008-08-19 15:39:33 -05:00
import shutil
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
import logging
import urllib
import xml.dom.minidom
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
import pwd
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
from ipapython import nsslib
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import sysrestore
from ipapython import ipautil
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
from nss.error import NSPRError
import nss.nss as nss
Fix deprecation warning for the sha library on Python 2.6 sha has been replaced by hashlib. We need to support Python 2.4 - 2.6 so this will use hashlib if available but fall back onto sha if not. Fortunately they use the same API for the function we need. 509042 Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 15:58:21 -05:00
# The sha module is deprecated in Python 2.6, replaced by hashlib. Try
# that first and fall back to sha.sha if it isn't available.
try:
from hashlib import sha256 as sha
except ImportError:
from sha import sha
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
CA_SERIALNO="/var/lib/ipa/ca_serialno"
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def ipa_self_signed():
"""
Determine if the current IPA CA is self-signed or using another CA
Note that this doesn't distinguish between dogtag and being provided
PKCS#12 files from another CA.
A server is self-signed if /var/lib/ipa/ca_serialno exists
"""
if ipautil.file_exists(CA_SERIALNO):
return True
else:
return False
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
cert = None
if chosen_nickname:
try:
cert = nss.find_cert_from_nickname(chosen_nickname, password)
priv_key = nss.find_key_by_any_cert(cert, password)
return cert, priv_key
except NSPRError, e:
logging.debug("client auth callback failed %s" % str(e))
return False
else:
nicknames = nss.get_cert_nicknames(certdb, nss.SEC_CERT_NICKNAMES_USER)
for nickname in nicknames:
try:
cert = nss.find_cert_from_nickname(nickname, password)
if cert.check_valid_times():
if cert.has_signer_in_ca_names(ca_names):
priv_key = nss.find_key_by_any_cert(cert, password)
return cert, priv_key
except NSPRError, e:
logging.debug("client auth callback failed %s" % str(e))
return False
return False
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
class CertDB(object):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def __init__(self, nssdir, fstore=None, host_name=None):
self.secdir = nssdir
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.noise_fname = self.secdir + "/noise.txt"
self.passwd_fname = self.secdir + "/pwdfile.txt"
self.certdb_fname = self.secdir + "/cert8.db"
self.keydb_fname = self.secdir + "/key3.db"
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
self.secmod_fname = self.secdir + "/secmod.db"
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.cacert_fname = self.secdir + "/cacert.asc"
self.pk12_fname = self.secdir + "/cacert.p12"
self.pin_fname = self.secdir + "/pin.txt"
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.pwd_conf = "/etc/httpd/conf/password.conf"
Create temporary files used in self-signed cert requests in a temporary directory and ensure that it gets cleaned up when we're done with it. 458159
2008-08-14 17:36:35 -05:00
self.reqdir = tempfile.mkdtemp('', 'ipa-', '/var/lib/ipa')
self.certreq_fname = self.reqdir + "/tmpcertreq"
self.certder_fname = self.reqdir + "/tmpcert.der"
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.host_name = host_name
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
self.self_signed_ca = ipa_self_signed()
if self.self_signed_ca:
self.subject_format = "CN=%s,ou=test-ipa,O=IPA"
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
else:
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
self.subject_format = "CN=%s,OU=pki-ipa,O=IPA"
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
# Making this a starting value that will generate
# unique values for the current DB is the
# responsibility of the caller for now. In the
# future we might automatically determine this
# for a given db.
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
self.cur_serial = -1
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
self.cacert_name = "CA certificate"
self.valid_months = "120"
self.keysize = "1024"
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
# We are going to set the owner of all of the cert
# files to the owner of the containing directory
# instead of that of the process. This works when
# this is called by root for a daemon that runs as
# a normal user
mode = os.stat(self.secdir)
self.uid = mode[stat.ST_UID]
self.gid = mode[stat.ST_GID]
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
Create temporary files used in self-signed cert requests in a temporary directory and ensure that it gets cleaned up when we're done with it. 458159
2008-08-14 17:36:35 -05:00
def __del__(self):
shutil.rmtree(self.reqdir, ignore_errors=True)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def find_cert_from_txt(self, cert):
"""
Given a cert blob (str) which may or may not contian leading and
trailing text, pull out just the certificate part. This will return
the FIRST cert in a stream of data.
"""
s = cert.find('-----BEGIN CERTIFICATE-----')
e = cert.find('-----END CERTIFICATE-----')
if e > 0: e = e + 25
if s < 0 or e < 0:
raise RuntimeError("Unable to find certificate")
cert = cert[s:e]
return cert
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
def set_serial_from_pkcs12(self):
"""A CA cert was loaded from a PKCS#12 file. Set up our serial file"""
self.cur_serial = self.find_cacert_serial()
try:
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
f=open(CA_SERIALNO,"w")
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
f.write(str(self.cur_serial))
f.close()
except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e))
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
def next_serial(self):
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
try:
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
f=open(CA_SERIALNO,"r")
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
r = f.readline()
Add some additional error handling 433347
2008-02-20 15:31:32 -06:00
try:
self.cur_serial = int(r) + 1
except ValueError:
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
raise RuntimeError("The value in %s is not an integer" % CA_SERIALNO)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
f.close()
except IOError, e:
if e.errno == errno.ENOENT:
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.self_signed_ca = True
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
self.cur_serial = 1000
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
f=open(CA_SERIALNO,"w")
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
f.write(str(self.cur_serial))
f.close()
else:
raise RuntimeError("Unable to determine serial number: %s" % str(e))
try:
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
f=open(CA_SERIALNO,"w")
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
f.write(str(self.cur_serial))
f.close()
except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e))
return str(self.cur_serial)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
def set_perms(self, fname, write=False, uid=None):
if uid:
pent = pwd.getpwnam(uid)
os.chown(fname, pent.pw_uid, pent.pw_gid)
else:
os.chown(fname, self.uid, self.gid)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
perms = stat.S_IRUSR
if write:
perms |= stat.S_IWUSR
os.chmod(fname, perms)
def gen_password(self):
Fix deprecation warning for the sha library on Python 2.6 sha has been replaced by hashlib. We need to support Python 2.4 - 2.6 so this will use hashlib if available but fall back onto sha if not. Fortunately they use the same API for the function we need. 509042 Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 15:58:21 -05:00
return sha(ipautil.ipa_generate_password()).hexdigest()
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def run_certutil(self, args, stdin=None):
new_args = ["/usr/bin/certutil", "-d", self.secdir]
new_args = new_args + args
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
return ipautil.run(new_args, stdin)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
def run_signtool(self, args, stdin=None):
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
if not self.self_signed_ca:
f = open(self.passwd_fname, "r")
password = f.readline()
f.close()
new_args = ["/usr/bin/signtool", "-d", self.secdir, "-p", password]
else:
new_args = ["/usr/bin/signtool", "-d", self.secdir]
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
new_args = new_args + args
ipautil.run(new_args, stdin)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def create_noise_file(self):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if ipautil.file_exists(self.noise_fname):
os.remove(self.noise_fname)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
f = open(self.noise_fname, "w")
f.write(self.gen_password())
self.set_perms(self.noise_fname)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def create_passwd_file(self, passwd=None):
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
ipautil.backup_file(self.passwd_fname)
f = open(self.passwd_fname, "w")
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
if passwd is not None:
f.write("%s\n" % passwd)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
else:
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
f.write(self.gen_password())
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
f.close()
self.set_perms(self.passwd_fname)
def create_certdbs(self):
ipautil.backup_file(self.certdb_fname)
ipautil.backup_file(self.keydb_fname)
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
ipautil.backup_file(self.secmod_fname)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.run_certutil(["-N",
"-f", self.passwd_fname])
self.set_perms(self.passwd_fname, write=True)
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def list_certs(self):
"""
Return a tuple of tuples containing (nickname, trust)
"""
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-L"], stdout=subprocess.PIPE)
certs = p.stdout.read()
certs = certs.split("\n")
# FIXME, this relies on NSS never changing the formatting of certutil
certlist = []
for cert in certs:
nickname = cert[0:61]
trust = cert[61:]
if re.match(r'\w+,\w+,\w+', trust):
certlist.append((nickname.strip(), trust))
return tuple(certlist)
def has_nickname(self, nickname):
"""
Returns True if nickname exists in the certdb, False otherwise.
This could also be done directly with:
certutil -L -d -n <nickname> ...
"""
certs = self.list_certs()
for cert in certs:
if nickname == cert[0]:
return True
return False
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def create_ca_cert(self):
# Generate the encryption key
self.run_certutil(["-G", "-z", self.noise_fname, "-f", self.passwd_fname])
# Generate the self-signed cert
Add the CA constraint to the self-signed CA we generate 514027
2009-08-27 15:48:02 -05:00
p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir,
"-S", "-n", self.cacert_name,
"-s", "cn=IPA Test Certificate Authority",
"-x",
"-t", "CT,,C",
"-2",
"-m", self.next_serial(),
"-v", self.valid_months,
"-z", self.noise_fname,
"-f", self.passwd_fname],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
# Is this a CA certificate [y/N]? y
# Enter the path length constraint, enter to skip [<0 for unlimited pat
# Is this a critical extension [y/N]? y
p.stdin.write("y\n\n7\n")
p.wait()
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def export_ca_cert(self, nickname, create_pkcs12=False):
Don't create a backup of the PKCS#12 cert on replicas Name the file created by ipa-replica-prepare after the FQDN of the target Resolves 432904
2008-02-14 19:39:06 -06:00
"""create_pkcs12 tells us whether we should create a PKCS#12 file
of the CA or not. If we are running on a replica then we won't
have the private key to make a PKCS#12 file so we don't need to
do that step."""
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
# export the CA cert for use with other apps
ipautil.backup_file(self.cacert_fname)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
self.run_certutil(["-L", "-n", nickname,
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
"-a",
"-o", self.cacert_fname])
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
os.chmod(self.cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
Don't create a backup of the PKCS#12 cert on replicas Name the file created by ipa-replica-prepare after the FQDN of the target Resolves 432904
2008-02-14 19:39:06 -06:00
if create_pkcs12:
ipautil.backup_file(self.pk12_fname)
ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
"-o", self.pk12_fname,
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
"-n", self.cacert_name,
Don't create a backup of the PKCS#12 cert on replicas Name the file created by ipa-replica-prepare after the FQDN of the target Resolves 432904
2008-02-14 19:39:06 -06:00
"-w", self.passwd_fname,
"-k", self.passwd_fname])
self.set_perms(self.pk12_fname)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def load_cacert(self, cacert_fname):
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
self.run_certutil(["-A", "-n", self.cacert_name,
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
"-t", "CT,,C",
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
"-a",
"-i", cacert_fname])
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def get_cert_from_db(self, nickname):
try:
args = ["-L", "-n", nickname, "-a"]
(cert, err) = self.run_certutil(args)
return cert
except ipautil.CalledProcessError:
return ''
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
def find_cacert_serial(self):
(out,err) = self.run_certutil(["-L", "-n", self.cacert_name])
data = out.split('\n')
for line in data:
x = re.match(r'\s+Serial Number: (\d+) .*', line)
if x is not None:
return x.group(1)
raise RuntimeError("Unable to find serial number")
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def create_server_cert(self, nickname, hostname, other_certdb=None, subject=None):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
"""
other_certdb can mean one of two things, depending on the context.
If we are using a self-signed CA then other_certdb contains the
CA that will be signing our CSR.
If we are using a dogtag CA then it contains the RA agent key
that will issue our cert.
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
You can override the certificate Subject by specifying a subject.
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
"""
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
cdb = other_certdb
if not cdb:
cdb = self
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
if subject is None:
subject=self.subject_format % hostname
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
(out, err) = self.request_cert(subject)
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
self.add_cert(self.certder_fname, nickname)
os.unlink(self.certreq_fname)
os.unlink(self.certder_fname)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def create_signing_cert(self, nickname, hostname, other_certdb=None, subject=None):
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
cdb = other_certdb
if not cdb:
cdb = self
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
if subject is None:
subject=self.subject_format % hostname
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
self.request_cert(subject)
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
cdb.issue_signing_cert(self.certreq_fname, self.certder_fname)
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
self.add_cert(self.certder_fname, nickname)
os.unlink(self.certreq_fname)
os.unlink(self.certder_fname)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def request_cert(self, subject, certtype="rsa", keysize="2048"):
self.create_noise_file()
args = ["-R", "-s", subject,
"-o", self.certreq_fname,
"-k", certtype,
"-g", keysize,
"-z", self.noise_fname,
"-f", self.passwd_fname]
if not self.self_signed_ca:
args.append("-a")
(stdout, stderr) = self.run_certutil(args)
os.remove(self.noise_fname)
return (stdout, stderr)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
def issue_server_cert(self, certreq_fname, cert_fname):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if self.self_signed_ca:
p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir,
"-C", "-c", self.cacert_name,
"-i", certreq_fname,
"-o", cert_fname,
"-m", self.next_serial(),
"-v", self.valid_months,
"-f", self.passwd_fname,
"-1", "-5"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
# Bah - this sucks, but I guess it isn't possible to fully
# control this with command line arguments.
#
# What this is requesting is:
# -1 (Create key usage extension)
# 2 - Key encipherment
# 9 - done
# n - not critical
#
# -5 (Create netscape cert type extension)
# 1 - SSL Server
# 9 - done
# n - not critical
p.stdin.write("2\n9\nn\n1\n9\nn\n")
p.wait()
else:
if self.host_name is None:
raise RuntimeError("CA Host is not set.")
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
f = open(certreq_fname, "r")
csr = f.readlines()
f.close()
csr = "".join(csr)
# We just want the CSR bits, make sure there is nothing else
s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")
e = csr.find("-----END NEW CERTIFICATE REQUEST-----")
if e > 0:
e = e + 37
if s >= 0:
csr = csr[s:]
params = urllib.urlencode({'profileId': 'caRAserverCert',
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
'cert_request': csr,
'xmlOutput': 'true'})
headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain"}
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
# Send the request to the CA
f = open(self.passwd_fname, "r")
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
password = f.readline()
f.close()
conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
conn.set_debuglevel(0)
conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
res = conn.getresponse()
data = res.read()
conn.close()
if res.status != 200:
raise RuntimeError("Unable to submit cert request")
# The result is an XML blob. Pull the certificate out of that
doc = xml.dom.minidom.parseString(data)
item_node = doc.getElementsByTagName("b64")
cert = item_node[0].childNodes[0].data
doc.unlink()
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
conn.close()
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
# Write the certificate to a file. It will be imported in a later
# step.
f = open(cert_fname, "w")
f.write(cert)
f.close()
return
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
def issue_signing_cert(self, certreq_fname, cert_fname):
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
if self.self_signed_ca:
p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir,
"-C", "-c", self.cacert_name,
"-i", certreq_fname,
"-o", cert_fname,
"-m", self.next_serial(),
"-v", self.valid_months,
"-f", self.passwd_fname,
"-1", "-5"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
# Bah - this sucks, but I guess it isn't possible to fully
# control this with command line arguments.
#
# What this is requesting is:
# -1 (Create key usage extension)
# 0 - Digital Signature
# 5 - Cert signing key
# 9 - done
# n - not critical
#
# -5 (Create netscape cert type extension)
# 3 - Object Signing
# 9 - done
# n - not critical
p.stdin.write("0\n5\n9\nn\n3\n9\nn\n")
p.wait()
else:
if self.host_name is None:
raise RuntimeError("CA Host is not set.")
f = open(certreq_fname, "r")
csr = f.readlines()
f.close()
csr = "".join(csr)
# We just want the CSR bits, make sure there is no thing else
s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")
e = csr.find("-----END NEW CERTIFICATE REQUEST-----")
if e > 0:
e = e + 37
if s >= 0:
csr = csr[s:]
params = urllib.urlencode({'profileId': 'caJarSigningCert',
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
'cert_request': csr,
'xmlOutput': 'true'})
headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain"}
# Send the request to the CA
f = open(self.passwd_fname, "r")
password = f.readline()
f.close()
conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
conn.set_debuglevel(0)
conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
res = conn.getresponse()
data = res.read()
conn.close()
if res.status != 200:
raise RuntimeError("Unable to submit cert request")
# The result is an XML blob. Pull the certificate out of that
doc = xml.dom.minidom.parseString(data)
item_node = doc.getElementsByTagName("b64")
cert = item_node[0].childNodes[0].data
doc.unlink()
conn.close()
f = open(cert_fname, "w")
f.write(cert)
f.close()
return
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def add_cert(self, cert_fname, nickname):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
args = ["-A", "-n", nickname,
"-t", "u,u,u",
"-i", cert_fname,
"-f", cert_fname]
if not self.self_signed_ca:
args.append("-a")
self.run_certutil(args)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def create_pin_file(self):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
"""
This is the format of Directory Server pin files.
"""
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
ipautil.backup_file(self.pin_fname)
f = open(self.pin_fname, "w")
f.write("Internal (Software) Token:")
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
pwdfile = open(self.passwd_fname)
f.write(pwdfile.read())
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
f.close()
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
pwdfile.close()
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.set_perms(self.pin_fname)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def create_password_conf(self):
"""
This is the format of mod_nss pin files.
"""
ipautil.backup_file(self.pwd_conf)
f = open(self.pwd_conf, "w")
f.write("internal:")
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
pwdfile = open(self.passwd_fname)
f.write(pwdfile.read())
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
f.close()
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
pwdfile.close()
self.set_perms(self.pwd_conf, uid="apache")
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def find_root_cert(self, nickname):
User provided certs.
0000-12-31 18:09:24 -05:50
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-O", "-n", nickname], stdout=subprocess.PIPE)
chain = p.stdout.read()
chain = chain.split("\n")
No need to trust NSS built-in CA's, more specific regex for finding CA nickname - Add some logging so we have a better idea of what happened if things fail - Default to self-signed CA to trust if one is not found. This will fix the self-signed CA case where certutil doesn't return untrusted CA's in -O output. - Remove unused httplib import Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 11:16:56 -05:00
root_nickname = re.match('\ *"(.*)" \[.*', chain[0]).groups()[0]
# Try to work around a change in the F-11 certutil where untrusted
# CA's are not shown in the chain. This will make a default IPA
# server installable.
if root_nickname is None and self.self_signed_ca:
return self.cacert_name
User provided certs.
0000-12-31 18:09:24 -05:50
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
return root_nickname
Fixed whitespace indentation error in certs.py
2009-07-27 20:23:31 -05:00
def find_root_cert_from_pkcs12(self, pkcs12_fname, passwd_fname=None):
"""Given a PKCS#12 file, try to find any certificates that do
not have a key. The assumption is that these are the root CAs.
"""
args = ["/usr/bin/pk12util", "-d", self.secdir,
"-l", pkcs12_fname,
"-k", passwd_fname]
if passwd_fname:
args = args + ["-w", passwd_fname]
try:
(stdout, stderr) = ipautil.run(args)
except ipautil.CalledProcessError, e:
if e.returncode == 17:
raise RuntimeError("incorrect password")
else:
raise RuntimeError("unknown error using pkcs#12 file")
lines = stdout.split('\n')
# A simple state machine.
# 1 = looking for "Certificate:"
# 2 = looking for the Friendly name (nickname)
nicknames = []
state = 1
for line in lines:
if state == 2:
m = re.match("\W+Friendly Name: (.*)", line)
if m:
nicknames.append( m.groups(0)[0])
state = 1
if line == "Certificate:":
state = 2
return nicknames
Identify CAs to trust from an imported PKCS#12 file We used to use certutil -O to determine the cert chain to trust. This behavior changed in F-11 such that untrusted CAs are not displayed. This is only used when we import PKCS#12 files so use pk12util -l to display the list of certs and keys in the file to determine the nickname(s) of the CAs to trust. 509111
2009-07-24 08:29:33 -05:00
def trust_root_cert(self, root_nickname):
No need to trust NSS built-in CA's, more specific regex for finding CA nickname - Add some logging so we have a better idea of what happened if things fail - Default to self-signed CA to trust if one is not found. This will fix the self-signed CA case where certutil doesn't return untrusted CA's in -O output. - Remove unused httplib import Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 11:16:56 -05:00
if root_nickname is None:
logging.debug("Unable to identify root certificate to trust. Continueing but things are likely to fail.")
return
if root_nickname[:7] == "Builtin":
logging.debug("No need to add trust for built-in root CA's, skipping %s" % root_nickname)
else:
self.run_certutil(["-M", "-n", root_nickname,
"-t", "CT,CT,"])
User provided certs.
0000-12-31 18:09:24 -05:50
def find_server_certs(self):
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-L"], stdout=subprocess.PIPE)
certs = p.stdout.read()
certs = certs.split("\n")
server_certs = []
for cert in certs:
fields = cert.split()
if not len(fields):
continue
flags = fields[-1]
if 'u' in flags:
name = " ".join(fields[0:-1])
NSS 3.12 added a header to the certutil output we need to skip 456694
2008-07-25 16:06:51 -05:00
# NSS 3.12 added a header to the certutil output
if name == "Certificate Nickname Trust":
continue
User provided certs.
0000-12-31 18:09:24 -05:50
server_certs.append((name, flags))
return server_certs
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
def import_pkcs12(self, pkcs12_fname, passwd_fname=None):
args = ["/usr/bin/pk12util", "-d", self.secdir,
"-i", pkcs12_fname,
"-k", self.passwd_fname]
if passwd_fname:
args = args + ["-w", passwd_fname]
User provided certs.
0000-12-31 18:09:24 -05:50
try:
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
ipautil.run(args)
User provided certs.
0000-12-31 18:09:24 -05:50
except ipautil.CalledProcessError, e:
if e.returncode == 17:
raise RuntimeError("incorrect password")
else:
raise RuntimeError("unknown error import pkcs#12 file")
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname="CA certificate"):
ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
"-o", pkcs12_fname,
"-n", nickname,
"-k", self.passwd_fname,
"-w", pkcs12_pwd_fname])
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def create_self_signed(self, passwd=None):
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.create_noise_file()
self.create_passwd_file(passwd)
self.create_certdbs()
self.create_ca_cert()
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
self.export_ca_cert(self.cacert_name, True)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.create_pin_file()
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def create_from_cacert(self, cacert_fname, passwd=""):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if ipautil.file_exists(self.certdb_fname):
# We already have a cert db, see if it is for the same CA.
# If it is we leave things as they are.
f = open(cacert_fname, "r")
newca = f.readlines()
f.close()
newca = "".join(newca)
newca = self.find_cert_from_txt(newca)
cacert = self.get_cert_from_db(self.cacert_name)
if cacert != '':
cacert = self.find_cert_from_txt(cacert)
if newca == cacert:
return
# The CA certificates are different or something went wrong. Start with
# a new certificate database.
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.create_passwd_file(passwd)
self.create_certdbs()
self.load_cacert(cacert_fname)
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def create_from_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, passwd=None):
"""Create a new NSS database using the certificates in a PKCS#12 file.
pkcs12_fname: the filename of the PKCS#12 file
pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file
nickname: the nickname/friendly-name of the cert we are loading
passwd: The password to use for the new NSS database we are creating
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
The global CA may be added as well in case it wasn't included in the
PKCS#12 file. Extra certs won't hurt in any case.
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
"""
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
self.create_noise_file()
self.create_passwd_file(passwd)
self.create_certdbs()
self.import_pkcs12(pkcs12_fname, pkcs12_pwd_fname)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
server_certs = self.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname)
# We only handle one server cert
nickname = server_certs[0][0]
Identify CAs to trust from an imported PKCS#12 file We used to use certutil -O to determine the cert chain to trust. This behavior changed in F-11 such that untrusted CAs are not displayed. This is only used when we import PKCS#12 files so use pk12util -l to display the list of certs and keys in the file to determine the nickname(s) of the CAs to trust. 509111
2009-07-24 08:29:33 -05:00
ca_names = self.find_root_cert_from_pkcs12(pkcs12_fname, pkcs12_pwd_fname)
if len(ca_names) == 0:
raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
self.cacert_name = ca_names[0]
for nickname in ca_names:
self.trust_root_cert(nickname)
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
self.create_pin_file()
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
self.export_ca_cert(self.cacert_name, False)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.self_signed_ca=False
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
# This file implies that we have our own self-signed CA. Ensure
# that it no longer exists (from previous installs, for example).
try:
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
os.remove(CA_SERIALNO)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
except:
pass
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
def backup_files(self):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file(self.noise_fname)
self.fstore.backup_file(self.passwd_fname)
self.fstore.backup_file(self.certdb_fname)
self.fstore.backup_file(self.keydb_fname)
self.fstore.backup_file(self.secmod_fname)
self.fstore.backup_file(self.cacert_fname)
self.fstore.backup_file(self.pk12_fname)
self.fstore.backup_file(self.pin_fname)
self.fstore.backup_file(self.certreq_fname)
self.fstore.backup_file(self.certder_fname)
Reference in New Issue Copy Permalink