IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use PyCA crypto provider for KRAClient

Browse Source 
The Dogtag KRA backend now uses CryptographyCryptoProvider instead of
NSSCryptoProvider for KRAClient connections. The
CryptographyCryptoProvider uses PyCA cryptography to provide wrapping
and unwrapping. The change will allow Dogtag to remove the
NSSCryptoProvider and drop python-nss as a dependency.

The code in ipaserver.plugins.dogtag creates a Certificate object to
work around a bug in Dogtag. Dogtag supports paths but passes the wrong
type to PyCA cryptography.

Fixes: https://pagure.io/freeipa/issue/8814
See: https://github.com/dogtagpki/pki/issues/3499
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Christian Heimes 2021-04-22 15:38:37 +02:00 committed by Florence Blanc-Renaud
parent 1cc2671182
commit 1d80048e05
1 changed files with 6 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ipaserver/plugins/dogtag.py
View File

@ -253,7 +253,7 @@ import six
from ipalib import Backend, api, x509
from ipapython.dn import DN
import ipapython.cookie
from ipapython import dogtag, ipautil, certdb
from ipapython import dogtag, ipautil
from ipaserver.masters import find_providing_server
import pki
@ -1961,11 +1961,10 @@ class kra(Backend):
# TODO: replace this with a more specific exception
raise RuntimeError('KRA service is not enabled')
tempdb = certdb.NSSDatabase()
tempdb.create_db()
crypto = cryptoutil.NSSCryptoProvider(
tempdb.secdir,
password_file=tempdb.pwd_file)
crypto = cryptoutil.CryptographyCryptoProvider(
transport_cert_nick="ra_agent",
transport_cert=x509.load_certificate_from_file(paths.RA_AGENT_PEM)
)
# TODO: obtain KRA host & port from IPA service list or point to KRA load balancer
# https://fedorahosted.org/freeipa/ticket/4557
@ -1980,10 +1979,7 @@ class kra(Backend):
connection.set_authentication_cert(paths.RA_AGENT_PEM,
paths.RA_AGENT_KEY)
try:
yield KRAClient(connection, crypto)
finally:
tempdb.close()
yield KRAClient(connection, crypto)
@register()