IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't initialize NSS if we don't have to, clean up unused cert refs

Browse Source 
Check to see if NSS is initialized before trying to do so again.

If we are temporarily creating a certificate be sure to delete it in order
to remove references to it and avoid NSS shutdown issues.

In the certificate load validator shut down NSS if we end up initializing
it. I'm not entirely sure why but this prevents a later shutdown issue
if we are passed the --ca-cert-file option.
This commit is contained in:
Rob Crittenden 2013-01-16 13:20:14 -05:00
parent a1991aeac1
commit 31e41eea6c
2 changed files with 30 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ipa-client/ipa-install/ipa-client-install
View File

@ -48,6 +48,7 @@ try:
from ipapython.dn import DN from ipapython.dn import DN
from ipapython.ssh import SSHPublicKey from ipapython.ssh import SSHPublicKey
from ipalib.rpc import delete_persistent_client_session_data from ipalib.rpc import delete_persistent_client_session_data
import nss.nss as nss
import SSSDConfig import SSSDConfig
from ConfigParser import RawConfigParser from ConfigParser import RawConfigParser
from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
@ -77,10 +78,15 @@ def parse_options():
if not os.path.isabs(value): if not os.path.isabs(value):
raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value)) raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value))
initialized = nss.nss_is_initialized()
try: try:
cert = x509.load_certificate_from_file(value) cert = x509.load_certificate_from_file(value)
except Exception, e: except Exception, e:
raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value)) raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value))
else:
del(cert)
if not initialized:
nss.nss_shutdown()
parser.values.ca_cert_file = value parser.values.ca_cert_file = value
@ -1372,6 +1378,8 @@ def get_ca_cert_from_file(url):
except Exception, e: except Exception, e:
raise errors.FileError(reason = raise errors.FileError(reason =
u"cannot write certificate file '%s': %s" % (CACERT, e)) u"cannot write certificate file '%s': %s" % (CACERT, e))
else:
del(cert)
def get_ca_cert_from_http(url, ca_file, warn=True): def get_ca_cert_from_http(url, ca_file, warn=True):
''' '''
@ -1478,6 +1486,8 @@ def validate_new_ca_cert(existing_ca_cert, ca_file, ask, override=False):
root_logger.debug( root_logger.debug(
"Existing CA cert and Retrieved CA cert are identical") "Existing CA cert and Retrieved CA cert are identical")
os.remove(ca_file) os.remove(ca_file)
del(existing_ca_cert)
del(new_ca_cert)
def get_ca_cert(fstore, options, server, basedn): def get_ca_cert(fstore, options, server, basedn):

33
ipalib/x509.py
View File

@ -91,18 +91,18 @@ def load_certificate(data, datatype=PEM, dbdir=None):
data = strip_header(data) data = strip_header(data)
data = base64.b64decode(data) data = base64.b64decode(data)
if dbdir is None: if not nss.nss_is_initialized():
if 'in_tree' in api.env: if dbdir is None:
if api.env.in_tree: if 'in_tree' in api.env:
dbdir = api.env.dot_ipa + os.sep + 'alias' if api.env.in_tree:
dbdir = api.env.dot_ipa + os.sep + 'alias'
else:
dbdir = "/etc/httpd/alias"
nss.nss_init(dbdir)
else: else:
dbdir = "/etc/httpd/alias" nss.nss_init_nodb()
nss.nss_init(dbdir)
else: else:
nss.nss_init_nodb() nss.nss_init(dbdir)
else:
nss.nss_init(dbdir)
return nss.Certificate(buffer(data)) return nss.Certificate(buffer(data))
@ -139,7 +139,9 @@ def get_subject(certificate, datatype=PEM, dbdir=None):
""" """
nsscert = load_certificate(certificate, datatype, dbdir) nsscert = load_certificate(certificate, datatype, dbdir)
return nsscert.subject subject = nsscert.subject
del(nsscert)
return subject
def get_issuer(certificate, datatype=PEM, dbdir=None): def get_issuer(certificate, datatype=PEM, dbdir=None):
""" """
@ -147,14 +149,18 @@ def get_issuer(certificate, datatype=PEM, dbdir=None):
""" """
nsscert = load_certificate(certificate, datatype, dbdir) nsscert = load_certificate(certificate, datatype, dbdir)
return nsscert.issuer issuer = nsscert.issuer
del(nsscert)
return issuer
def get_serial_number(certificate, datatype=PEM, dbdir=None): def get_serial_number(certificate, datatype=PEM, dbdir=None):
""" """
Return the decimal value of the serial number. Return the decimal value of the serial number.
""" """
nsscert = load_certificate(certificate, datatype, dbdir) nsscert = load_certificate(certificate, datatype, dbdir)
return nsscert.serial_number serial_number = nsscert.serial_number
del(nsscert)
return serial_number
def make_pem(data): def make_pem(data):
""" """
@ -230,6 +236,7 @@ def verify_cert_subject(ldap, hostname, dercert):
nsscert = load_certificate(dercert, datatype=DER) nsscert = load_certificate(dercert, datatype=DER)
subject = str(nsscert.subject) subject = str(nsscert.subject)
issuer = str(nsscert.issuer) issuer = str(nsscert.issuer)
del(nsscert)
# Handle both supported forms of issuer, from selfsign and dogtag. # Handle both supported forms of issuer, from selfsign and dogtag.
if (not valid_issuer(issuer)): if (not valid_issuer(issuer)):