IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-26 16:16:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

certdb: add named trust flag constants

Browse Source 
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Jan Cholasta 2017-04-27 09:33:25 +02:00 committed by Martin Basti
parent a0566ed9ce
commit 235265a5f5
12 changed files with 44 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
install/restart_scripts/restart_httpd
View File

@ -24,6 +24,7 @@ import traceback
from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import certs, installutils
@ -36,7 +37,7 @@ def _main():
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
db.trust_root_cert(nickname, "P,,")
db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')

4
install/tools/ipa-replica-conncheck
View File

@ -549,7 +549,9 @@ def main():
data = ca_cert.public_bytes(
serialization.Encoding.DER)
nss_db.add_cert(
data, str(DN(ca_cert.subject)), 'C,,')
data,
str(DN(ca_cert.subject)),
certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,

9
ipaclient/install/client.py
View File

@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
create_ipa_nssdb()
for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
('External CA cert', 'C,,')):
for nickname, trust_flags in (
('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
try:
cert = sys_db.get_cert(nickname)
except RuntimeError:
@ -2680,7 +2681,9 @@ def _install(options):
tmp_db.create_db()
for i, cert in enumerate(ca_certs):
tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
tmp_db.add_cert(cert,
'CA certificate %d' % (i + 1),
certdb.EXTERNAL_CA_TRUST_FLAGS)
except CalledProcessError:
raise ScriptError(
"Failed to add CA to temporary NSS database.",

9
ipapython/certdb.py
View File

@ -54,6 +54,11 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
EMPTY_TRUST_FLAGS = ',,'
IPA_CA_TRUST_FLAGS = 'CT,C,C'
EXTERNAL_CA_TRUST_FLAGS = 'C,,'
TRUSTED_PEER_TRUST_FLAGS = 'P,,'
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
return format % realm
@ -438,7 +443,7 @@ class NSSDatabase(object):
cert = x509.load_certificate(cert_pem)
nickname = str(DN(cert.subject))
data = cert.public_bytes(serialization.Encoding.DER)
self.add_cert(data, nickname, ',,')
self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
if extracted_key:
in_file = ipautil.write_tmp_file(
@ -470,7 +475,7 @@ class NSSDatabase(object):
root_nickname)
else:
if trust_flags is None:
trust_flags = 'C,,'
trust_flags = EXTERNAL_CA_TRUST_FLAGS
try:
self.run_certutil(["-M", "-n", root_nickname,
"-t", trust_flags])

2
ipaserver/install/ca.py
View File

@ -320,7 +320,7 @@ def install_step_1(standalone, replica_config, options):
realm_name, nssdir=dirname, subject_base=subject_base)
cacert = cadb.get_cert_from_db('caSigningCert cert-pki-ca', pem=False)
nickname = certdb.get_ca_nickname(realm_name)
trust_flags = 'CT,C,C'
trust_flags = certdb.IPA_CA_TRUST_FLAGS
dsdb.add_cert(cacert, nickname, trust_flags)
certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
cacert, nickname, trust_flags,

5
ipaserver/install/certs.py
View File

@ -37,6 +37,7 @@ from ipalib.install import certmonger, sysrestore
from ipapython.ipa_log_manager import root_logger
from ipapython import dogtag
from ipapython import ipautil
from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS
from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase
from ipapython.dn import DN
from ipalib import pkcs10, x509, api
@ -597,7 +598,7 @@ class CertDB(object):
# a new certificate database.
self.create_passwd_file()
self.create_certdbs()
self.load_cacert(cacert_fname, 'CT,C,C')
self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
ca_file=None, trust_flags=None):
@ -643,7 +644,7 @@ class CertDB(object):
cert, st = find_cert_from_txt(certs, st)
except RuntimeError:
break
self.add_cert(cert, 'CA %s' % num, ',,', pem=True)
self.add_cert(cert, 'CA %s' % num, EMPTY_TRUST_FLAGS, pem=True)
num += 1
# We only handle one server cert

5
ipaserver/install/dsinstance.py
View File

@ -32,6 +32,7 @@ import fnmatch
import ldap
from ipalib.install import certmonger, certstore
from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil, ipaldap
from ipapython import dogtag
@ -766,7 +767,7 @@ class DsInstance(service.Service):
)
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
@ -1065,7 +1066,7 @@ class DsInstance(service.Service):
certdb.cacert_name = cacert_name
status = True
try:
certdb.load_cacert(cacert_fname, 'C,,')
certdb.load_cacert(cacert_fname, EXTERNAL_CA_TRUST_FLAGS)
except ipautil.CalledProcessError as e:
root_logger.critical("Error importing CA cert file named [%s]: %s" %
(cacert_fname, str(e)))

5
ipaserver/install/httpinstance.py
View File

@ -32,6 +32,7 @@ import six
from augeas import Augeas
from ipalib.install import certmonger
from ipapython.certdb import IPA_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS
from ipaserver.install import service
from ipaserver.install import certs
from ipaserver.install import installutils
@ -381,7 +382,7 @@ class HTTPInstance(service.Service):
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
@ -403,7 +404,7 @@ class HTTPInstance(service.Service):
self.__set_mod_nss_nickname(nickname)
self.add_cert_to_service()
db.trust_root_cert(nickname, "P,,")
db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
else:
if not self.promote:

16
ipaserver/install/ipa_cacert_manage.py
View File

@ -26,6 +26,7 @@ import gssapi
from ipalib.install import certmonger, certstore
from ipapython import admintool, ipautil
from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
from ipapython.dn import DN
from ipaplatform.paths import paths
from ipalib import api, errors, x509
@ -242,10 +243,10 @@ class CACertManage(admintool.AdminTool):
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,')
tmpdb.add_cert(old_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
try:
tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,')
tmpdb.add_cert(new_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
@ -253,7 +254,8 @@ class CACertManage(admintool.AdminTool):
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
data = ca_cert.public_bytes(serialization.Encoding.DER)
tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,')
tmpdb.add_cert(
data, str(DN(ca_cert.subject)), EXTERNAL_CA_TRUST_FLAGS)
try:
tmpdb.verify_ca_cert_validity('IPA CA')
@ -270,7 +272,11 @@ class CACertManage(admintool.AdminTool):
except RuntimeError:
break
certstore.put_ca_cert_nss(
conn, api.env.basedn, ca_cert, nickname, ',,')
conn,
api.env.basedn,
ca_cert,
nickname,
EMPTY_TRUST_FLAGS)
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
@ -343,7 +349,7 @@ class CACertManage(admintool.AdminTool):
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
tmpdb.add_cert(cert, nickname, 'C,,')
tmpdb.add_cert(cert, nickname, EXTERNAL_CA_TRUST_FLAGS)
for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)

2
ipaserver/install/plugins/upload_cacrt.py
View File

@ -55,7 +55,7 @@ class update_upload_cacrt(Updater):
if 'u' in trust_flags:
continue
if nickname == ca_nickname and ca_enabled:
trust_flags = 'CT,C,C'
trust_flags = certdb.IPA_CA_TRUST_FLAGS
cert = db.get_cert_from_db(nickname, pem=False)
trust, _ca, eku = certstore.trust_flags_to_key_policy(trust_flags)

3
ipaserver/install/server/replicainstall.py
View File

@ -23,6 +23,7 @@ import ipaclient.install.ntpconf
from ipalib.install import certstore, sysrestore
from ipalib.install.kinit import kinit_keytab
from ipapython import ipaldap, ipautil
from ipapython.certdb import IPA_CA_TRUST_FLAGS
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
from ipapython.admintool import ScriptError
@ -737,7 +738,7 @@ def install_check(installer):
nssdir=tmp_db_dir,
subject_base=config.subject_base)
if ca_enabled:
trust_flags = 'CT,C,C'
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],

4
ipaserver/install/server/upgrade.py
View File

@ -1389,7 +1389,7 @@ def fix_trust_flags():
nickname = certdb.get_ca_nickname(api.env.realm)
cert = db.get_cert_from_db(nickname)
if cert:
db.trust_root_cert(nickname, 'CT,C,C')
db.trust_root_cert(nickname, certdb.IPA_CA_TRUST_FLAGS)
sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
@ -1407,7 +1407,7 @@ def fix_server_cert_trust_flags():
sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
"NSSNickname")
# Add trust flag which set certificate trusted for SSL connections.
db.trust_root_cert(sc_nickname, "P,,")
db.trust_root_cert(sc_nickname, certdb.TRUSTED_PEER_TRUST_FLAGS)
sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)