IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Move external cert validation from ipa-server-install to installutils.

Browse Source 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-02-27 15:09:10 +01:00 committed by Petr Viktorin
parent 2109d6611b
commit 2c43a3d0d5
2 changed files with 53 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
install/tools/ipa-server-install
View File

@ -70,7 +70,6 @@ from ipapython import ipautil
from ipapython import dogtag from ipapython import dogtag
from ipalib import api, errors, util from ipalib import api, errors, util
from ipapython.config import IPAOptionParser from ipapython.config import IPAOptionParser
from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
from ipalib.util import validate_domain_name from ipalib.util import validate_domain_name
from ipalib.constants import CACERT from ipalib.constants import CACERT
from ipapython.ipa_log_manager import * from ipapython.ipa_log_manager import *
@ -749,47 +748,11 @@ def main():
if options.external_cert_file: if options.external_cert_file:
try: try:
extcert = load_certificate_from_file(options.external_cert_file) validate_external_cert(options.external_cert_file,
except IOError, e: options.external_ca_file, options.subject)
print "Can't load the PEM certificate: %s." % str(e) except ValueError, e:
print e
sys.exit(1) sys.exit(1)
except nss.error.NSPRError:
print "'%s' is not a valid PEM-encoded certificate." % options.external_cert_file
sys.exit(1)
certsubject = DN(str(extcert.subject))
wantsubject = DN(('CN','Certificate Authority'), options.subject)
if certsubject != wantsubject:
print "Subject of the external certificate is not correct (got %s, expected %s)." % (certsubject, wantsubject)
sys.exit(1)
try:
extchain = load_certificate_chain_from_file(options.external_ca_file)
except IOError, e:
print "Can't load the external CA chain: %s." % str(e)
sys.exit(1)
except nss.error.NSPRError:
print "'%s' is not a valid PEM-encoded certificate chain." % options.external_ca_file
sys.exit(1)
certdict = dict((DN(str(cert.subject)), cert) for cert in extchain)
del extchain
certissuer = DN(str(extcert.issuer))
if certissuer not in certdict:
print "The external certificate is not signed by the external CA (unknown issuer %s)." % certissuer
sys.exit(1)
cert = extcert
del extcert
while cert.issuer != cert.subject:
certissuer = DN(str(cert.issuer))
if certissuer not in certdict:
print "The external CA chain is incomplete (%s is missing from the chain)." % certissuer
sys.exit(1)
del cert
cert = certdict[certissuer]
del certdict
del cert
# We only set up the CA if the PKCS#12 options are not given. # We only set up the CA if the PKCS#12 options are not given.
if options.dirsrv_pkcs12: if options.dirsrv_pkcs12:

50
ipaserver/install/installutils.py
View File

@ -33,13 +33,14 @@ from contextlib import contextmanager
from dns import resolver, rdatatype from dns import resolver, rdatatype
from dns.exception import DNSException from dns.exception import DNSException
import ldap import ldap
from nss.error import NSPRError
from ipapython import ipautil, sysrestore, admintool, dogtag from ipapython import ipautil, sysrestore, admintool, dogtag
from ipapython.admintool import ScriptError from ipapython.admintool import ScriptError
from ipapython.ipa_log_manager import * from ipapython.ipa_log_manager import *
from ipalib.util import validate_hostname from ipalib.util import validate_hostname
from ipapython import config from ipapython import config
from ipalib import errors from ipalib import errors, x509
from ipapython.dn import DN from ipapython.dn import DN
from ipaserver.install import certs, service from ipaserver.install import certs, service
from ipaplatform import services from ipaplatform import services
@ -865,3 +866,50 @@ def check_entropy():
except ValueError as e: except ValueError as e:
root_logger.debug("Invalid value in /proc/sys/kernel/random/entropy_avail %s" % \ root_logger.debug("Invalid value in /proc/sys/kernel/random/entropy_avail %s" % \
e) e)
def validate_external_cert(cert_file, ca_file, subject_base):
extcert = None
try:
extcert = x509.load_certificate_from_file(cert_file)
certsubject = DN(str(extcert.subject))
certissuer = DN(str(extcert.issuer))
except IOError, e:
raise ValueError("Can't load the PEM certificate: %s." % e)
except (TypeError, NSPRError):
raise ValueError(
"'%s' is not a valid PEM-encoded certificate." % cert_file)
finally:
del extcert
wantsubject = DN(('CN', 'Certificate Authority'), subject_base)
if certsubject != wantsubject:
raise ValueError(
"Subject of the external certificate is not correct (got %s, "
"expected %s)." % (certsubject, wantsubject))
extchain = None
try:
extchain = x509.load_certificate_chain_from_file(ca_file)
certdict = dict((DN(str(cert.subject)), DN(str(cert.issuer)))
for cert in extchain)
except IOError, e:
raise ValueError("Can't load the external CA chain: %s." % e)
except (TypeError, NSPRError):
raise ValueError(
"'%s' is not a valid PEM-encoded certificate chain." % ca_file)
finally:
del extchain
if certissuer not in certdict:
raise ValueError(
"The external certificate is not signed by the external CA "
"(unknown issuer %s)." % certissuer)
while certsubject != certissuer:
certsubject = certissuer
try:
certissuer = certdict[certsubject]
except KeyError:
raise ValueError(
"The external CA chain is incomplete (%s is missing from the "
"chain)." % certsubject)