certdb: add named trust flag constants

Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

install/restart_scripts/restart_httpd

@@ -24,6 +24,7 @@ import traceback
 from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
 from ipaserver.install import certs, installutils
 
 
@@ -36,7 +37,7 @@ def _main():
     nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
 
     # Add trust flag which set certificate trusted for SSL connections.
-    db.trust_root_cert(nickname, "P,,")
+    db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
 
     syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 

install/tools/ipa-replica-conncheck

@@ -549,7 +549,9 @@ def main():
                             data = ca_cert.public_bytes(
                                 serialization.Encoding.DER)
                             nss_db.add_cert(
-                                data, str(DN(ca_cert.subject)), 'C,,')
+                                data,
+                                str(DN(ca_cert.subject)),
+                                certdb.EXTERNAL_CA_TRUST_FLAGS)
 
                     api.bootstrap(context='client',
                                   confdir=paths.ETC_IPA,

ipaclient/install/client.py

@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
     if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
         create_ipa_nssdb()
 
-    for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
+    for nickname, trust_flags in (
-                                  ('External CA cert', 'C,,')):
+            ('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+            ('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
         try:
             cert = sys_db.get_cert(nickname)
         except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
             tmp_db.create_db()
 
             for i, cert in enumerate(ca_certs):
-                tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+                tmp_db.add_cert(cert,
+                                'CA certificate %d' % (i + 1),
+                                certdb.EXTERNAL_CA_TRUST_FLAGS)
         except CalledProcessError:
             raise ScriptError(
                 "Failed to add CA to temporary NSS database.",

ipapython/certdb.py

@@ -54,6 +54,11 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
 
 BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
 
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
 
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
     return format % realm
@@ -438,7 +443,7 @@ class NSSDatabase(object):
             cert = x509.load_certificate(cert_pem)
             nickname = str(DN(cert.subject))
             data = cert.public_bytes(serialization.Encoding.DER)
-            self.add_cert(data, nickname, ',,')
+            self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
 
         if extracted_key:
             in_file = ipautil.write_tmp_file(
@@ -470,7 +475,7 @@ class NSSDatabase(object):
                 root_nickname)
         else:
             if trust_flags is None:
-                trust_flags = 'C,,'
+                trust_flags = EXTERNAL_CA_TRUST_FLAGS
             try:
                 self.run_certutil(["-M", "-n", root_nickname,
                                    "-t", trust_flags])

ipaserver/install/ca.py

@@ -320,7 +320,7 @@ def install_step_1(standalone, replica_config, options):
             realm_name, nssdir=dirname, subject_base=subject_base)
         cacert = cadb.get_cert_from_db('caSigningCert cert-pki-ca', pem=False)
         nickname = certdb.get_ca_nickname(realm_name)
-        trust_flags = 'CT,C,C'
+        trust_flags = certdb.IPA_CA_TRUST_FLAGS
         dsdb.add_cert(cacert, nickname, trust_flags)
         certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
                                   cacert, nickname, trust_flags,

ipaserver/install/certs.py

@@ -37,6 +37,7 @@ from ipalib.install import certmonger, sysrestore
 from ipapython.ipa_log_manager import root_logger
 from ipapython import dogtag
 from ipapython import ipautil
+from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS
 from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase
 from ipapython.dn import DN
 from ipalib import pkcs10, x509, api
@@ -597,7 +598,7 @@ class CertDB(object):
         # a new certificate database.
         self.create_passwd_file()
         self.create_certdbs()
-        self.load_cacert(cacert_fname, 'CT,C,C')
+        self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
 
     def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
                            ca_file=None, trust_flags=None):
@@ -643,7 +644,7 @@ class CertDB(object):
                     cert, st = find_cert_from_txt(certs, st)
                 except RuntimeError:
                     break
-                self.add_cert(cert, 'CA %s' % num, ',,', pem=True)
+                self.add_cert(cert, 'CA %s' % num, EMPTY_TRUST_FLAGS, pem=True)
                 num += 1
 
         # We only handle one server cert

ipaserver/install/dsinstance.py

@@ -32,6 +32,7 @@ import fnmatch
 import ldap
 
 from ipalib.install import certmonger, certstore
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil, ipaldap
 from ipapython import dogtag
@@ -766,7 +767,7 @@ class DsInstance(service.Service):
         )
         if self.pkcs12_info:
             if self.ca_is_configured:
-                trust_flags = 'CT,C,C'
+                trust_flags = IPA_CA_TRUST_FLAGS
             else:
                 trust_flags = None
             dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
@@ -1065,7 +1066,7 @@ class DsInstance(service.Service):
         certdb.cacert_name = cacert_name
         status = True
         try:
-            certdb.load_cacert(cacert_fname, 'C,,')
+            certdb.load_cacert(cacert_fname, EXTERNAL_CA_TRUST_FLAGS)
         except ipautil.CalledProcessError as e:
             root_logger.critical("Error importing CA cert file named [%s]: %s" %
                                          (cacert_fname, str(e)))

ipaserver/install/httpinstance.py

@@ -32,6 +32,7 @@ import six
 from augeas import Augeas
 
 from ipalib.install import certmonger
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS
 from ipaserver.install import service
 from ipaserver.install import certs
 from ipaserver.install import installutils
@@ -381,7 +382,7 @@ class HTTPInstance(service.Service):
 
         if self.pkcs12_info:
             if self.ca_is_configured:
-                trust_flags = 'CT,C,C'
+                trust_flags = IPA_CA_TRUST_FLAGS
             else:
                 trust_flags = None
             db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
@@ -403,7 +404,7 @@ class HTTPInstance(service.Service):
             self.__set_mod_nss_nickname(nickname)
             self.add_cert_to_service()
 
-            db.trust_root_cert(nickname, "P,,")
+            db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
 
         else:
             if not self.promote:

ipaserver/install/ipa_cacert_manage.py

@@ -26,6 +26,7 @@ import gssapi
 
 from ipalib.install import certmonger, certstore
 from ipapython import admintool, ipautil
+from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
 from ipapython.dn import DN
 from ipaplatform.paths import paths
 from ipalib import api, errors, x509
@@ -242,10 +243,10 @@ class CACertManage(admintool.AdminTool):
 
         with certs.NSSDatabase() as tmpdb:
             tmpdb.create_db()
-            tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,')
+            tmpdb.add_cert(old_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
 
             try:
-                tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,')
+                tmpdb.add_cert(new_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
             except ipautil.CalledProcessError as e:
                 raise admintool.ScriptError(
                     "Not compatible with the current CA certificate: %s" % e)
@@ -253,7 +254,8 @@ class CACertManage(admintool.AdminTool):
             ca_certs = x509.load_certificate_list_from_file(ca_file.name)
             for ca_cert in ca_certs:
                 data = ca_cert.public_bytes(serialization.Encoding.DER)
-                tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,')
+                tmpdb.add_cert(
+                    data, str(DN(ca_cert.subject)), EXTERNAL_CA_TRUST_FLAGS)
 
             try:
                 tmpdb.verify_ca_cert_validity('IPA CA')
@@ -270,7 +272,11 @@ class CACertManage(admintool.AdminTool):
                 except RuntimeError:
                     break
                 certstore.put_ca_cert_nss(
-                    conn, api.env.basedn, ca_cert, nickname, ',,')
+                    conn,
+                    api.env.basedn,
+                    ca_cert,
+                    nickname,
+                    EMPTY_TRUST_FLAGS)
 
         dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
                 ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
@@ -343,7 +349,7 @@ class CACertManage(admintool.AdminTool):
 
         with certs.NSSDatabase() as tmpdb:
             tmpdb.create_db()
-            tmpdb.add_cert(cert, nickname, 'C,,')
+            tmpdb.add_cert(cert, nickname, EXTERNAL_CA_TRUST_FLAGS)
             for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
                 tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
 

ipaserver/install/plugins/upload_cacrt.py

@@ -55,7 +55,7 @@ class update_upload_cacrt(Updater):
             if 'u' in trust_flags:
                 continue
             if nickname == ca_nickname and ca_enabled:
-                trust_flags = 'CT,C,C'
+                trust_flags = certdb.IPA_CA_TRUST_FLAGS
             cert = db.get_cert_from_db(nickname, pem=False)
             trust, _ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
 

ipaserver/install/server/replicainstall.py

@@ -23,6 +23,7 @@ import ipaclient.install.ntpconf
 from ipalib.install import certstore, sysrestore
 from ipalib.install.kinit import kinit_keytab
 from ipapython import ipaldap, ipautil
+from ipapython.certdb import IPA_CA_TRUST_FLAGS
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipapython.admintool import ScriptError
@@ -737,7 +738,7 @@ def install_check(installer):
                                   nssdir=tmp_db_dir,
                                   subject_base=config.subject_base)
             if ca_enabled:
-                trust_flags = 'CT,C,C'
+                trust_flags = IPA_CA_TRUST_FLAGS
             else:
                 trust_flags = None
             tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],

ipaserver/install/server/upgrade.py

@@ -1389,7 +1389,7 @@ def fix_trust_flags():
     nickname = certdb.get_ca_nickname(api.env.realm)
     cert = db.get_cert_from_db(nickname)
     if cert:
-        db.trust_root_cert(nickname, 'CT,C,C')
+        db.trust_root_cert(nickname, certdb.IPA_CA_TRUST_FLAGS)
 
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
@@ -1407,7 +1407,7 @@ def fix_server_cert_trust_flags():
     sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
                                              "NSSNickname")
     # Add trust flag which set certificate trusted for SSL connections.
-    db.trust_root_cert(sc_nickname, "P,,")
+    db.trust_root_cert(sc_nickname, certdb.TRUSTED_PEER_TRUST_FLAGS)
 
     sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)