Enable NSS PKIX certificate path discovery and validation for Dogtag.

Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-01-11 00:31:56 -06:00 · 2014-07-17 11:47:26 +02:00 · 2014-07-17 11:47:26 +02:00 · 044c5c833a
commit 044c5c833a
parent 03b29b4c8e
4 changed files with 27 additions and 0 deletions
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@ -833,6 +833,23 @@ def migrate_crl_publish_dir(ca):
                     'request pki-ca restart')
    return True

+
+def ca_enable_pkix(ca):
+    root_logger.info('[Enable PKIX certificate path discovery and validation]')
+    if sysupgrade.get_upgrade_state('dogtag', 'pkix_enabled'):
+        root_logger.info('PKIX already enabled')
+        return False
+
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
+    ca.enable_pkix()
+    sysupgrade.set_upgrade_state('dogtag', 'pkix_enabled', True)
+
+    return True
+
+
 def add_ca_dns_records():
    root_logger.info('[Add missing CA DNS records]')

@ -1227,6 +1244,7 @@ def main():
        ca_restart,
        upgrade_ipa_profile(ca, api.env.domain, fqdn),
        certificate_renewal_update(ca),
+        ca_enable_pkix(ca),
    ])

    if ca_restart:
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -99,6 +99,7 @@ class BasePathNamespace(object):
    SSSD_CONF = "/etc/sssd/sssd.conf"
    SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
    SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
+    ETC_SYSCONFIG_DIR = "/etc/sysconfig"
    ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig"
    SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs"
    SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv"
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@ -62,6 +62,7 @@ class Dogtag10Constants(object):
    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
    SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
    ALIAS_DIR = paths.PKI_TOMCAT_ALIAS_DIR.rstrip('/')
+    SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME)

    SERVICE_NAME = 'pki_tomcatd'

@ -94,6 +95,7 @@ class Dogtag9Constants(object):
    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
    SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
    ALIAS_DIR = '%s/alias' % PKI_ROOT
+    SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME)

    SERVICE_NAME = 'pki-cad'

--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -457,6 +457,7 @@ class CAInstance(service.Service):
        self.step("stopping certificate server instance to update CS.cfg", self.__stop)
        self.step("disabling nonces", self.__disable_nonce)
        self.step("set up CRL publishing", self.__enable_crl_publish)
+        self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
        self.step("starting certificate server instance", self.__start)
        # Step 1 of external is getting a CSR so we don't need to do these
        # steps until we get a cert back from the external CA.
@ -807,6 +808,11 @@ class CAInstance(service.Service):
        os.chown(self.dogtag_constants.CS_CFG_PATH,
                 pent.pw_uid, pent.pw_gid)

+    def enable_pkix(self):
+        installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH,
+                                   'NSS_ENABLE_PKIX_VERIFY', '1',
+                                   quotes=False, separator='=')
+
    def __issue_ra_cert(self):
        # The CA certificate is in the agent DB but isn't trusted
        (admin_fd, admin_name) = tempfile.mkstemp()