Use new certmonger locking to prevent NSS database corruption.

dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
2025-02-25 18:55:28 -06:00 · 2014-12-02 13:18:36 -05:00
parent b382a77fc3
commit 045b6e6ed9
9 changed files with 274 additions and 100 deletions
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -261,7 +261,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
            # Fall back to trying to stop tracking using nickname
            pass

-    args = ['/usr/bin/ipa-getcert',
+    args = ['/usr/bin/getcert',
            'stop-tracking',
    ]
    if request_id:
@@ -368,7 +368,8 @@ def get_pin(token, dogtag_constants=None):
                return pin.strip()
    return None

-def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
+def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
+                          post_command):
    """
    Tell certmonger to start tracking a dogtag CA certificate. These
    are handled differently because their renewal must be done directly
@@ -377,7 +378,10 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
    This uses the generic certmonger command getcert so we can specify
    a different helper.

-    command is the script to execute.
+    pre_command is the script to execute before a renewal is done.
+    post_command is the script to execute after a renewal is done.
+
+    Both commands can be None.

    Returns the stdout, stderr and returncode from running ipa-getcert

@@ -386,20 +390,32 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
    if not cert_exists(nickname, os.path.abspath(secdir)):
        raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))

-    if command is not None and not os.path.isabs(command):
-        if sys.maxsize > 2**32:
-            libpath = 'lib64'
-        else:
-            libpath = 'lib'
-        command = '/usr/%s/ipa/certmonger/%s' % (libpath, command)
-
    args = ["/usr/bin/getcert", "start-tracking",
            "-d", os.path.abspath(secdir),
            "-n", nickname,
            "-c", ca,
-            "-C", command,
           ]

+    if pre_command is not None:
+        if not os.path.isabs(pre_command):
+            if sys.maxsize > 2**32:
+                libpath = 'lib64'
+            else:
+                libpath = 'lib'
+            pre_command = '/usr/%s/ipa/certmonger/%s' % (libpath, pre_command)
+        args.append("-B")
+        args.append(pre_command)
+
+    if post_command is not None:
+        if not os.path.isabs(post_command):
+            if sys.maxsize > 2**32:
+                libpath = 'lib64'
+            else:
+                libpath = 'lib'
+            post_command = '/usr/%s/ipa/certmonger/%s' % (libpath, post_command)
+        args.append("-C")
+        args.append(post_command)
+
    if pinfile:
        args.append("-p")
        args.append(pinfile)