IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add external CA signing and abstract out the RA backend

Browse Source 
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
This commit is contained in:
Rob Crittenden
2009-09-10 16:15:14 -04:00
parent bb09db2228
commit 49b36583a5
14 changed files with 833 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
install/tools/ipa-replica-install
View File

@@ -32,6 +32,7 @@ from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
from ipaserver import ipaldap from ipaserver import ipaldap
from ipapython import version from ipapython import version
from ipalib import api, util from ipalib import api, util
from ipalib.constants import DEFAULT_CONFIG
CACERT="/usr/share/ipa/html/ca.crt" CACERT="/usr/share/ipa/html/ca.crt"
@@ -130,7 +131,17 @@ def set_owner(config, dir):
os.chown(dir, pw.pw_uid, pw.pw_gid) os.chown(dir, pw.pw_uid, pw.pw_gid)
def install_ca(config): def install_ca(config):
# FIXME, need to pass along the CA plugin to use
cafile = config.dir + "/ca.p12" cafile = config.dir + "/ca.p12"
# Just initialize the environment. This is so the installer can have
# access to the plugin environment
api.env._bootstrap()
default_config = dict(DEFAULT_CONFIG)
if ipautil.file_exists(cafile):
default_config['ra_plugin'] = 'dogtag'
api.env._finalize_core(**default_config)
if not ipautil.file_exists(cafile): if not ipautil.file_exists(cafile):
return None return None
@@ -140,6 +151,12 @@ def install_ca(config):
print >> sys.stderr, "Import failed: %s" % sys.exc_value print >> sys.stderr, "Import failed: %s" % sys.exc_value
sys.exit(1) sys.exit(1)
if not cainstance.check_inst():
print "A CA was specified but the dogtag certificate server"
print "is not installed on the system"
print "Please install dogtag and restart the setup program"
sys.exit(1)
cs = cainstance.CADSInstance() cs = cainstance.CADSInstance()
cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password) cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password)
@@ -348,9 +365,10 @@ def main():
fd.write("realm=" + config.realm_name + "\n") fd.write("realm=" + config.realm_name + "\n")
fd.write("domain=" + config.domain_name + "\n") fd.write("domain=" + config.domain_name + "\n")
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name) fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name)) fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
if ipautil.file_exists(config.dir + "/ca.p12"): if ipautil.file_exists(config.dir + "/ca.p12"):
fd.write("enable_ra=True\n") fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.close() fd.close()
# Apply any LDAP updates. Needs to be done after the replica is synced-up # Apply any LDAP updates. Needs to be done after the replica is synced-up

21
install/tools/ipa-replica-prepare
View File

@@ -31,6 +31,8 @@ from ipapython import ipautil
from ipaserver.install import dsinstance, installutils, certs, httpinstance from ipaserver.install import dsinstance, installutils, certs, httpinstance
from ipaserver import ipaldap from ipaserver import ipaldap
from ipapython import version from ipapython import version
from ipalib.constants import DEFAULT_CONFIG
from ipalib import api
import ldap import ldap
def parse_options(): def parse_options():
@@ -113,12 +115,13 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname):
db = certs.CertDB(dir) db = certs.CertDB(dir)
db.create_passwd_file() db.create_passwd_file()
db.create_certdbs() # if self_signed:
if self_signed: # ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) # db.create_from_cacert(ca_db.cacert_fname)
db.create_from_cacert(ca_db.cacert_fname) # else:
else: # ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
db.create_from_cacert(ca_db.cacert_fname)
db.create_server_cert("Server-Cert", hostname, ca_db) db.create_server_cert("Server-Cert", hostname, ca_db)
except Exception, e: except Exception, e:
raise e raise e
@@ -211,8 +214,12 @@ def main():
replica_fqdn = args[0] replica_fqdn = args[0]
# FIXME: need more robust way to determine if dogtag is configured # Just initialize the environment. This is so the installer can have
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca") and not options.dirsrv_pin: # access to the plugin environment
api.env._bootstrap()
api.env._finalize_core(**dict(DEFAULT_CONFIG))
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
print "Determining current realm name" print "Determining current realm name"

76
install/tools/ipa-server-install
View File

@@ -52,6 +52,7 @@ from ipaserver.install.installutils import *
from ipapython import sysrestore from ipapython import sysrestore
from ipapython.ipautil import * from ipapython.ipautil import *
from ipalib import api, util from ipalib import api, util
from ipalib.constants import DEFAULT_CONFIG
pw_name = None pw_name = None
@@ -77,6 +78,12 @@ def parse_options():
default=False, help="print debugging information") default=False, help="print debugging information")
parser.add_option("", "--ca", dest="ca", action="store_true", parser.add_option("", "--ca", dest="ca", action="store_true",
default=False, help="Configure a CA instance") default=False, help="Configure a CA instance")
parser.add_option("", "--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
parser.add_option("", "--external_cert_file", dest="external_cert_file",
help="File containing PKCS#10 certificate")
parser.add_option("", "--external_ca_file", dest="external_ca_file",
help="File containing PKCS#10 of the external CA chain")
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address") parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address")
parser.add_option("--setup-dns", dest="setup_dns", action="store_true", parser.add_option("--setup-dns", dest="setup_dns", action="store_true",
@@ -138,6 +145,17 @@ def parse_options():
if cnt > 0 and cnt < 4: if cnt > 0 and cnt < 4:
parser.error("error: All PKCS#12 options are required if any are used.") parser.error("error: All PKCS#12 options are required if any are used.")
if (options.external_cert_file or options.external_ca_file) and not options.ca:
parser.error("error: --ca required to use the external CA options.")
if ((options.external_cert_file and not options.external_ca_file) or
(not options.external_cert_file and options.external_ca_file)):
parser.error("error: if either external option is used, both are required.")
if options.external_ca and not options.ca:
# Go ahead and be nice and fix things up
options.ca = True
return options return options
def signal_handler(signum, frame): def signal_handler(signum, frame):
@@ -384,6 +402,14 @@ def main():
signal.signal(signal.SIGTERM, signal_handler) signal.signal(signal.SIGTERM, signal_handler)
signal.signal(signal.SIGINT, signal_handler) signal.signal(signal.SIGINT, signal_handler)
# Just initialize the environment. This is so the installer can have
# access to the plugin environment
api.env._bootstrap()
default_config = dict(DEFAULT_CONFIG)
if options.ca:
default_config['ra_plugin'] = 'dogtag'
api.env._finalize_core(**default_config)
if options.uninstall: if options.uninstall:
standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug) standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug)
else: else:
@@ -423,6 +449,7 @@ def main():
print "To accept the default shown in brackets, press the Enter key." print "To accept the default shown in brackets, press the Enter key."
print "" print ""
if not options.external_ca:
check_dirsrv(options.unattended) check_dirsrv(options.unattended)
ds_user = "" ds_user = ""
@@ -442,6 +469,18 @@ def main():
print "Please install bind and the LDAP plug-in and restart the setup program" print "Please install bind and the LDAP plug-in and restart the setup program"
return 1 return 1
if options.ca:
try:
from ipaserver.install import cainstance
except ImportError:
print >> sys.stderr, "Import failed: %s" % sys.exc_value
sys.exit(1)
if not cainstance.check_inst():
print "--ca was specified but the dogtag certificate server"
print "is not installed on the system"
print "Please install dogtag and restart the setup program"
return 1
# check the hostname is correctly configured, it must be as the kldap # check the hostname is correctly configured, it must be as the kldap
# utilities just use the hostname as returned by gethostbyname to set # utilities just use the hostname as returned by gethostbyname to set
# up some of the standard entries # up some of the standard entries
@@ -551,11 +590,7 @@ def main():
print "" print ""
print "The following operations may take some minutes to complete." print "The following operations may take some minutes to complete."
print "Please wait until the prompt is returned." print "Please wait until the prompt is returned."
print ""
# Configure ntpd
if options.conf_ntp:
ntp = ntpinstance.NTPInstance(fstore)
ntp.create_instance()
if options.dirsrv_pin: if options.dirsrv_pin:
[pw_fd, pw_name] = tempfile.mkstemp() [pw_fd, pw_name] = tempfile.mkstemp()
@@ -575,10 +610,38 @@ def main():
except: except:
pass pass
# Figure out what state we're in. See cainstance.py for more info on
# the 3 states.
external = 0
if options.external_ca:
external = 1
if external and ipautil.file_exists("/root/ipa.csr"):
external = 2
if options.external_cert_file is None or options.external_ca_file is None:
print "You have a CA signing request for this server (/root/ipa.csr), you need to include --external_cert_file and --external_ca_file"
sys.exit(1);
if external and options.external_cert_file and not ipautil.file_exists(options.external_cert_file):
print "%s does not exist" % options.external_cert_file
sys.exit(1);
if external and options.external_ca_file and not ipautil.file_exists(options.external_ca_file):
print "%s does not exist" % options.external_ca_file
sys.exit(1);
if options.external_cert_file is None:
cs = cainstance.CADSInstance() cs = cainstance.CADSInstance()
cs.create_instance(ds_user, realm_name, host_name, domain_name, dm_password) cs.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
ca = cainstance.CAInstance() ca = cainstance.CAInstance()
if external == 0:
ca.configure_instance("pkiuser", host_name, dm_password, dm_password) ca.configure_instance("pkiuser", host_name, dm_password, dm_password)
elif external == 1:
ca.configure_instance("pkiuser", host_name, dm_password, dm_password, csr_file="/root/ipa.csr")
else:
ca.configure_instance("pkiuser", host_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file)
# Configure ntpd
if options.conf_ntp:
ntp = ntpinstance.NTPInstance(fstore)
ntp.create_instance()
# Create a directory server instance # Create a directory server instance
ds = dsinstance.DsInstance() ds = dsinstance.DsInstance()
@@ -628,8 +691,9 @@ def main():
fd.write("domain=" + domain_name + "\n") fd.write("domain=" + domain_name + "\n")
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name) fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name)) fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
if options.ca:
fd.write("enable_ra=True\n") fd.write("enable_ra=True\n")
if options.ca:
fd.write("ra_plugin=dogtag\n")
fd.close() fd.close()
# Apply any LDAP updates. Needs to be done after the configuration file # Apply any LDAP updates. Needs to be done after the configuration file

4
ipalib/constants.py
View File

@@ -112,7 +112,8 @@ DEFAULT_CONFIG = (
# CA plugin: # CA plugin:
('ca_host', object), # Set in Env._finalize_core() ('ca_host', object), # Set in Env._finalize_core()
('ca_port', 9180), ('ca_port', 9180),
('ca_ssl_port', 9443), ('ca_agent_port', 9443),
('ca_ee_port', 9444),
# Special CLI: # Special CLI:
('prompt_all', False), ('prompt_all', False),
@@ -120,6 +121,7 @@ DEFAULT_CONFIG = (
# Enable certain optional plugins: # Enable certain optional plugins:
('enable_ra', False), ('enable_ra', False),
('ra_plugin', 'selfsign'),
# ******************************************************** # ********************************************************
# The remaining keys are never set from the values here! # The remaining keys are never set from the values here!

53
ipalib/plugins/cert.py
View File

@@ -30,6 +30,24 @@ from ipalib import Command, Str, Int, Bytes, Flag
from ipalib import errors from ipalib import errors
from ipalib.plugins.virtual import * from ipalib.plugins.virtual import *
import base64 import base64
from OpenSSL import crypto
def get_serial(certificate):
"""
Given a certificate, return the serial number in that cert
In theory there should be only one cert per object so even if we get
passed in a list/tuple only return the first one.
"""
if type(certificate) in (list, tuple):
certificate = certificate[0]
try:
x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, certificate)
serial = str(x509.get_serial_number())
except crypto.Error:
raise errors.GenericError(format='Unable to decode certificate in entry')
return serial
def validate_csr(ugettext, csr): def validate_csr(ugettext, csr):
""" """
@@ -76,14 +94,14 @@ class cert_request(VirtualCommand):
# See if the service exists and punt if it doesn't and we aren't # See if the service exists and punt if it doesn't and we aren't
# going to add it # going to add it
try: try:
service = api.Command['service_show'](principal, **skw) (dn, service) = api.Command['service_show'](principal, **skw)
if service.get('usercertificate'): if 'usercertificate' in service:
# FIXME, what to do here? Do we revoke the old cert? # FIXME, what to do here? Do we revoke the old cert?
raise errors.GenericError(format='entry already has a certificate') raise errors.GenericError(format='entry already has a certificate, serial number %s' % get_serial(service['usercertificate']))
except errors.NotFound, e: except errors.NotFound, e:
if not add: if not add:
raise e raise errors.NotFound(reason="The service principal for this request doesn't exist.")
# Request the certificate # Request the certificate
result = self.Backend.ra.request_certificate(csr, **kw) result = self.Backend.ra.request_certificate(csr, **kw)
@@ -104,6 +122,33 @@ class cert_request(VirtualCommand):
else: else:
textui.print_plain('Failed to submit a certificate request.') textui.print_plain('Failed to submit a certificate request.')
def run(self, *args, **options):
"""
Dispatch to forward() and execute() to do work locally and on the
server.
"""
if self.env.in_server:
return self.execute(*args, **options)
# Client-side code
csr = args[0]
if csr[:7] == "file://":
file = csr[7:]
try:
f = open(file, "r")
csr = f.readlines()
f.close()
except IOError, err:
raise errors.ValidationError(name='csr', error=err[1])
csr = "".join(csr)
# We just want the CSR bits, make sure there is nothing else
s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")
e = csr.find("-----END NEW CERTIFICATE REQUEST-----")
if s >= 0:
csr = csr[s+40:e]
csr = csr.decode('UTF-8')
return self.forward(csr, **options)
api.register(cert_request) api.register(cert_request)

21
ipalib/plugins/service.py
View File

@@ -33,6 +33,17 @@ from ipalib import uuid
_container_dn = api.env.container_service _container_dn = api.env.container_service
_default_attributes = ['krbprincipalname', 'usercertificate'] _default_attributes = ['krbprincipalname', 'usercertificate']
def get_serial(certificate):
"""
Given a certificate, return the serial number in that cert
"""
try:
x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, certificate)
serial = str(x509.get_serial_number())
except crypto.Error:
raise errors.GenericError(format='Unable to decode certificate in entry')
return serial
def split_principal(principal): def split_principal(principal):
service = hostname = realm = None service = hostname = realm = None
@@ -194,10 +205,8 @@ class service_del(crud.Delete):
'krbprincipalname', principal, 'ipaservice' 'krbprincipalname', principal, 'ipaservice'
) )
if 'usercerfificate' in entry_attrs: if 'usercertificate' in entry_attrs:
cert = entry_attrs['usercertificate'] serial = get_serial(entry_attrs['usercertificate'])
x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, cert)
serial = str(x509.get_serial_number())
api.Command['cert_revoke'](unicode(serial), revocation_reason=5) api.Command['cert_revoke'](unicode(serial), revocation_reason=5)
ldap.delete_entry(dn) ldap.delete_entry(dn)
@@ -226,9 +235,9 @@ class service_mod(crud.Update):
dn = ldap.make_dn_from_attr('krbprincipalname', principal, _container_dn) dn = ldap.make_dn_from_attr('krbprincipalname', principal, _container_dn)
(dn, old_entry_attrs) = ldap.get_entry(dn) (dn, old_entry_attrs) = ldap.get_entry(dn)
if 'usercertificate' in old_entry_attrs and 'usercerficate' in options: if 'usercertificate' in old_entry_attrs and 'usercertificate' in options:
# FIXME, what to do here? Do we revoke the old cert? # FIXME, what to do here? Do we revoke the old cert?
raise errors.GenericError(format='entry already has a certificate') raise errors.GenericError(format='entry already has a certificate, serial number %s' % get_serial(old_entry_attrs['usercertificate']))
try: try:
ldap.update_entry(dn, entry_attrs) ldap.update_entry(dn, entry_attrs)

169
ipaserver/install/cainstance.py
View File

@@ -36,6 +36,7 @@ import urllib
import xml.dom.minidom import xml.dom.minidom
import stat import stat
from ipapython import dogtag from ipapython import dogtag
import subprocess
from nss.error import NSPRError from nss.error import NSPRError
import nss.nss as nss import nss.nss as nss
@@ -74,6 +75,23 @@ RootDN= cn=Directory Manager
RootDNPwd= $PASSWORD RootDNPwd= $PASSWORD
""" """
def check_inst():
"""
Validate that the appropriate dogtag/RHCS packages have been installed.
"""
# Check for a couple of binaries we need
if not os.path.exists('/usr/bin/pkicreate'):
return False
if not os.path.exists('/usr/bin/pkisilent'):
return False
# This is the template tomcat file for a CA
if not os.path.exists('/usr/share/pki/ca/conf/server.xml'):
return False
return True
def get_preop_pin(instance_root, instance_name): def get_preop_pin(instance_root, instance_name):
preop_pin = None preop_pin = None
@@ -355,6 +373,11 @@ class CAInstance(service.Service):
NSS database in mod_python. In nsslib.py we do an nssinit but this will NSS database in mod_python. In nsslib.py we do an nssinit but this will
return success if the database is already initialized. It doesn't care return success if the database is already initialized. It doesn't care
if the database is different or not. if the database is different or not.
external is a state machine:
0 = not an externally signed CA
1 = generating CSR to be signed
2 = have signed cert, continue installation
""" """
def __init__(self): def __init__(self):
@@ -365,7 +388,11 @@ class CAInstance(service.Service):
self.host_name = None self.host_name = None
self.pkcs12_info = None self.pkcs12_info = None
self.clone = False self.clone = False
self.external = False # for external CAs
self.external = 0
self.csr_file = None
self.cert_file = None
self.cert_chain_file = None
# The same database is used for mod_nss because the NSS context # The same database is used for mod_nss because the NSS context
# will already have been initialized by Apache by the time # will already have been initialized by Apache by the time
@@ -384,7 +411,20 @@ class CAInstance(service.Service):
def __del__(self): def __del__(self):
shutil.rmtree(self.ca_agent_db, ignore_errors=True) shutil.rmtree(self.ca_agent_db, ignore_errors=True)
def configure_instance(self, pki_user, host_name, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None): def configure_instance(self, pki_user, host_name, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None):
"""Create a CA instance. This may involve creating the pki-ca instance
dogtag instance.
To create a clone, pass in pkcs12_info.
Creating a CA with an external signer is a 2-step process. In
step 1 we generate a CSR. In step 2 we are given the cert and
chain and actually proceed to create the CA. For step 1 set
csr_file. For step 2 set cert_file and cert_chain_file.
"""
self.pki_user = pki_user self.pki_user = pki_user
self.host_name = host_name self.host_name = host_name
self.dm_password = dm_password self.dm_password = dm_password
@@ -395,10 +435,23 @@ class CAInstance(service.Service):
self.clone = True self.clone = True
self.master_host = master_host self.master_host = master_host
# Determine if we are installing as an externally-signed CA and
# what stage we're in.
if csr_file is not None:
self.csr_file=csr_file
self.external=1
elif cert_file is not None:
self.cert_file=cert_file
self.cert_chain_file=cert_chain_file
self.external=2
if not ipautil.dir_exists("/var/lib/pki-ca"): if not ipautil.dir_exists("/var/lib/pki-ca"):
self.step("creating pki-ca instance", self.create_instance) self.step("creating pki-ca instance", self.create_instance)
self.step("creating certificate server user", self.__create_ca_user) self.step("creating certificate server user", self.__create_ca_user)
self.step("configuring certificate server instance", self.__configure_instance) self.step("configuring certificate server instance", self.__configure_instance)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
if not self.clone: if not self.clone:
self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12) self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
self.step("creating RA agent certificate database", self.__create_ra_agent_db) self.step("creating RA agent certificate database", self.__create_ra_agent_db)
@@ -434,19 +487,6 @@ class CAInstance(service.Service):
] ]
ipautil.run(args) ipautil.run(args)
# Turn off Nonces
if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(self.pki_user)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
logging.debug("restarting ca instance")
try:
self.restart()
logging.debug("done restarting ca instance")
except ipautil.CalledProcessError, e:
print "failed to restart ca instance", e
def __enable(self): def __enable(self):
self.backup_state("enabled", self.is_enabled()) self.backup_state("enabled", self.is_enabled())
self.chkconfig_on() self.chkconfig_on()
@@ -470,7 +510,18 @@ class CAInstance(service.Service):
self.backup_state("user_exists", user_exists) self.backup_state("user_exists", user_exists)
def __configure_instance(self): def __configure_instance(self):
#--skipcreate -u pkiuser -g pkiuser -p password -a password -d --hostname `hostname` -n IPA # Turn off Nonces
if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(self.pki_user)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
logging.debug("restarting ca instance")
try:
self.restart()
logging.debug("done restarting ca instance")
except ipautil.CalledProcessError, e:
print "failed to restart ca instance", e
preop_pin = get_preop_pin(self.server_root, self.service_name) preop_pin = get_preop_pin(self.server_root, self.service_name)
@@ -506,17 +557,18 @@ class CAInstance(service.Service):
"-ca_server_cert_subject_name", "CN=" + self.host_name + ",O=" + self.domain_name, "-ca_server_cert_subject_name", "CN=" + self.host_name + ",O=" + self.domain_name,
"-ca_audit_signing_cert_subject_name", "\"CN=CA Audit Signing Certificate,O=" + self.domain_name + "\"", "-ca_audit_signing_cert_subject_name", "\"CN=CA Audit Signing Certificate,O=" + self.domain_name + "\"",
"-ca_sign_cert_subject_name", "\"CN=Certificate Authority,O=" + self.domain_name + "\"" ] "-ca_sign_cert_subject_name", "\"CN=Certificate Authority,O=" + self.domain_name + "\"" ]
if (self.external): if self.external == 1:
args.append("-external") args.append("-external")
args.append("true") args.append("true")
# args.append("-ext_csr_file") args.append("-ext_csr_file")
# args.append(ext_csr_file) args.append(self.csr_file)
# if (options.cacertfile): elif self.external == 2:
# args.append("-ext_ca_cert_file") args.append("-external")
# args.append(options.cacertfile) args.append("true")
# if (options.cacertchainfile): args.append("-ext_ca_cert_file")
# args.append("-ext_ca_cert_chain_file") args.append(self.cert_file)
# args.append(options.cacertchainfile) args.append("-ext_ca_cert_chain_file")
args.append(self.cert_chain_file)
else: else:
args.append("-external") args.append("-external")
args.append("false") args.append("false")
@@ -551,6 +603,10 @@ class CAInstance(service.Service):
logging.debug(args) logging.debug(args)
ipautil.run(args) ipautil.run(args)
if self.external == 1:
print "The next step is to get %s signed by your CA and re-run ipa-server-install" % self.csr_file
sys.exit(0)
# pkisilent doesn't return 1 on error so look at the output of # pkisilent doesn't return 1 on error so look at the output of
# /sbin/service pki-ca status. It will tell us if the instance # /sbin/service pki-ca status. It will tell us if the instance
# still needs to be configured. # still needs to be configured.
@@ -593,11 +649,28 @@ class CAInstance(service.Service):
os.write(admin_fd, self.admin_password) os.write(admin_fd, self.admin_password)
os.close(admin_fd) os.close(admin_fd)
# Look thru the cert chain to get all the certs we need to add
# trust for
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.ca_agent_db,
"-O", "-n", "ipa-ca-agent"], stdout=subprocess.PIPE)
chain = p.stdout.read()
chain = chain.split("\n")
root_nickname=[]
for i in xrange(len(chain)):
m = re.match('\ *"(.*)" \[.*', chain[i])
if m:
nick = m.groups(0)[0]
if nick != "ipa-ca-agent" and nick[:7] != "Builtin":
root_nickname.append(m.groups()[0])
try: try:
for nick in root_nickname:
self.__run_certutil( self.__run_certutil(
['-M', '-t', 'CT,C,C', '-n', ['-M', '-t', 'CT,C,C', '-n',
'Certificate Authority - %s' % self.domain_name nick],
], database=self.ca_agent_db, pwd_file=self.admin_password) database=self.ca_agent_db, pwd_file=self.admin_password)
finally: finally:
os.remove(admin_name) os.remove(admin_name)
@@ -695,7 +768,7 @@ class CAInstance(service.Service):
('usertype', "agentType"), ('usertype', "agentType"),
('userstate', "1"), ('userstate', "1"),
('userCertificate', decoded), ('userCertificate', decoded),
('description', '2;7;CN=Certificate Authority,O=%s;CN=RA Subsystem Certificate,OU=pki-ipa,O=%s' % (self.domain_name, self.domain_name)),] ('description', '2;%s;CN=Certificate Authority,O=%s;CN=RA Subsystem Certificate,OU=pki-ipa,O=%s' % (str(self.requestId), self.domain_name, self.domain_name)),]
ld.add_s(entry_dn, entry) ld.add_s(entry_dn, entry)
@@ -759,16 +832,48 @@ class CAInstance(service.Service):
def __import_ca_chain(self): def __import_ca_chain(self):
chain = self.__get_ca_chain() chain = self.__get_ca_chain()
(chain_fd, chain_name) = tempfile.mkstemp()
os.write(chain_fd, chain) # If this chain contains multiple certs then certutil will only import
os.close(chain_fd) # the first one. So we have to pull them all out and import them
# separately. Unfortunately no NSS tool can do this so we have to
# use openssl.
# Convert to DER because the chain comes back as one long string which
# makes openssl throw up.
data = base64.b64decode(chain)
(certs, stderr) = ipautil.run(["/usr/bin/openssl",
"pkcs7",
"-inform",
"DER",
"-print_certs",
], stdin=data)
# Ok, now we have all the certificates in certs, walk thru it
# and pull out each certificate and add it to our database
st = 1
en = 0
subid = 0
while st > 0:
st = certs.find('-----BEGIN', en)
en = certs.find('-----END', en+1)
if st > 0:
try: try:
(chain_fd, chain_name) = tempfile.mkstemp()
os.write(chain_fd, certs[st:en+25])
os.close(chain_fd)
if subid == 0:
nick = self.canickname
else:
nick = "%s sub %d" % (self.canickname, subid)
self.__run_certutil( self.__run_certutil(
['-A', '-t', 'CT,C,C', '-n', self.canickname, '-a', ['-A', '-t', 'CT,C,C', '-n', nick, '-a',
'-i', chain_name] '-i', chain_name]
) )
finally: finally:
os.remove(chain_name) os.remove(chain_name)
subid = subid + 1
def __request_ra_certificate(self): def __request_ra_certificate(self):
# Create a noise file for generating our private key # Create a noise file for generating our private key

284
ipaserver/install/certs.py
View File

@@ -25,14 +25,18 @@ import logging
import urllib import urllib
import xml.dom.minidom import xml.dom.minidom
import pwd import pwd
import fcntl
from ipapython import nsslib from ipapython import nsslib
from ipapython import sysrestore from ipapython import sysrestore
from ipapython import ipautil from ipapython import ipautil
from ConfigParser import RawConfigParser
from nss.error import NSPRError from nss.error import NSPRError
import nss.nss as nss import nss.nss as nss
from ipalib import api
# The sha module is deprecated in Python 2.6, replaced by hashlib. Try # The sha module is deprecated in Python 2.6, replaced by hashlib. Try
# that first and fall back to sha.sha if it isn't available. # that first and fall back to sha.sha if it isn't available.
try: try:
@@ -46,12 +50,9 @@ def ipa_self_signed():
""" """
Determine if the current IPA CA is self-signed or using another CA Determine if the current IPA CA is self-signed or using another CA
Note that this doesn't distinguish between dogtag and being provided We do this based on the CA plugin that is currently in use.
PKCS#12 files from another CA.
A server is self-signed if /var/lib/ipa/ca_serialno exists
""" """
if ipautil.file_exists(CA_SERIALNO): if api.env.ra_plugin == 'selfsign':
return True return True
else: else:
return False return False
@@ -80,6 +81,96 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
return False return False
return False return False
def find_cert_from_txt(cert, start=0):
"""
Given a cert blob (str) which may or may not contian leading and
trailing text, pull out just the certificate part. This will return
the FIRST cert in a stream of data.
Returns a tuple (certificate, last position in cert)
"""
s = cert.find('-----BEGIN CERTIFICATE-----', start)
e = cert.find('-----END CERTIFICATE-----', s)
if e > 0: e = e + 25
if s < 0 or e < 0:
raise RuntimeError("Unable to find certificate")
cert = cert[s:e]
return (cert, e)
def next_serial(serial_file=CA_SERIALNO):
"""
Get the next serial number if we're using an NSS-based self-signed CA.
The file is an ini-like file with following properties:
lastvalue = the last serial number handed out
nextreplica = the serial number the next replica should start with
replicainterval = the number to add to nextreplica the next time a
replica is created
File locking is attempted so we have unique serial numbers.
"""
fp = None
parser = RawConfigParser()
if ipautil.file_exists(serial_file):
try:
fp = open(serial_file, "r+")
fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
parser.readfp(fp)
serial = parser.getint('selfsign', 'lastvalue')
cur_serial = serial + 1
except IOError, e:
raise RuntimeError("Unable to determine serial number: %s" % str(e))
else:
fp = open(serial_file, "w")
fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
parser.add_section('selfsign')
parser.set('selfsign', 'nextreplica', 500000)
parser.set('selfsign', 'replicainterval', 500000)
cur_serial = 1000
try:
fp.seek(0)
parser.set('selfsign', 'lastvalue', cur_serial)
parser.write(fp)
fp.flush()
fcntl.flock(fp.fileno(), fcntl.LOCK_UN)
fp.close()
except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e))
return str(cur_serial)
def next_replica(serial_file=CA_SERIALNO):
"""
Return the starting serial number for a new self-signed replica
"""
fp = None
parser = RawConfigParser()
if ipautil.file_exists(serial_file):
try:
fp = open(serial_file, "r+")
fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
parser.readfp(fp)
serial = parser.getint('selfsign', 'nextreplica')
nextreplica = serial + parser.getint('selfsign', 'replicainterval')
except IOError, e:
raise RuntimeError("Unable to determine serial number: %s" % str(e))
else:
raise RuntimeError("%s does not exist, cannot create replica" % serial_file)
try:
fp.seek(0)
parser.set('selfsign', 'nextreplica', nextreplica)
parser.write(fp)
fp.flush()
fcntl.flock(fp.fileno(), fcntl.LOCK_UN)
fp.close()
except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e))
return str(serial)
class CertDB(object): class CertDB(object):
def __init__(self, nssdir, fstore=None, host_name=None): def __init__(self, nssdir, fstore=None, host_name=None):
self.secdir = nssdir self.secdir = nssdir
@@ -93,9 +184,9 @@ class CertDB(object):
self.pk12_fname = self.secdir + "/cacert.p12" self.pk12_fname = self.secdir + "/cacert.p12"
self.pin_fname = self.secdir + "/pin.txt" self.pin_fname = self.secdir + "/pin.txt"
self.pwd_conf = "/etc/httpd/conf/password.conf" self.pwd_conf = "/etc/httpd/conf/password.conf"
self.reqdir = tempfile.mkdtemp('', 'ipa-', '/var/lib/ipa') self.reqdir = None
self.certreq_fname = self.reqdir + "/tmpcertreq" self.certreq_fname = None
self.certder_fname = self.reqdir + "/tmpcert.der" self.certder_fname = None
self.host_name = host_name self.host_name = host_name
self.self_signed_ca = ipa_self_signed() self.self_signed_ca = ipa_self_signed()
@@ -105,13 +196,6 @@ class CertDB(object):
else: else:
self.subject_format = "CN=%s,OU=pki-ipa,O=IPA" self.subject_format = "CN=%s,OU=pki-ipa,O=IPA"
# Making this a starting value that will generate
# unique values for the current DB is the
# responsibility of the caller for now. In the
# future we might automatically determine this
# for a given db.
self.cur_serial = -1
self.cacert_name = "CA certificate" self.cacert_name = "CA certificate"
self.valid_months = "120" self.valid_months = "120"
self.keysize = "1024" self.keysize = "1024"
@@ -131,63 +215,40 @@ class CertDB(object):
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
def __del__(self): def __del__(self):
if self.reqdir is not None:
shutil.rmtree(self.reqdir, ignore_errors=True) shutil.rmtree(self.reqdir, ignore_errors=True)
def find_cert_from_txt(self, cert): def setup_cert_request(self):
""" """
Given a cert blob (str) which may or may not contian leading and Create a temporary directory to store certificate requests and
trailing text, pull out just the certificate part. This will return certificates. This should be called before requesting certificates.
the FIRST cert in a stream of data.
This is set outside of __init__ to avoid creating a temporary
directory every time we open a cert DB.
""" """
s = cert.find('-----BEGIN CERTIFICATE-----') if self.reqdir is not None:
e = cert.find('-----END CERTIFICATE-----') return
if e > 0: e = e + 25
if s < 0 or e < 0: self.reqdir = tempfile.mkdtemp('', 'ipa-', '/var/lib/ipa')
raise RuntimeError("Unable to find certificate") self.certreq_fname = self.reqdir + "/tmpcertreq"
self.certder_fname = self.reqdir + "/tmpcert.der"
cert = cert[s:e]
return cert
def set_serial_from_pkcs12(self): def set_serial_from_pkcs12(self):
"""A CA cert was loaded from a PKCS#12 file. Set up our serial file""" """A CA cert was loaded from a PKCS#12 file. Set up our serial file"""
self.cur_serial = self.find_cacert_serial() cur_serial = self.find_cacert_serial()
try: try:
f=open(CA_SERIALNO,"w") fp = open(CA_SERIALNO, "w")
f.write(str(self.cur_serial)) parser = RawConfigParser()
f.close() parser.add_section('selfsign')
parser.set('selfsign', 'lastvalue', cur_serial)
parser.set('selfsign', 'nextreplica', 500000)
parser.set('selfsign', 'replicainterval', 500000)
parser.write(fp)
fp.close()
except IOError, e: except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e)) raise RuntimeError("Unable to increment serial number: %s" % str(e))
def next_serial(self):
try:
f=open(CA_SERIALNO,"r")
r = f.readline()
try:
self.cur_serial = int(r) + 1
except ValueError:
raise RuntimeError("The value in %s is not an integer" % CA_SERIALNO)
f.close()
except IOError, e:
if e.errno == errno.ENOENT:
self.self_signed_ca = True
self.cur_serial = 1000
f=open(CA_SERIALNO,"w")
f.write(str(self.cur_serial))
f.close()
else:
raise RuntimeError("Unable to determine serial number: %s" % str(e))
try:
f=open(CA_SERIALNO,"w")
f.write(str(self.cur_serial))
f.close()
except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e))
return str(self.cur_serial)
def set_perms(self, fname, write=False, uid=None): def set_perms(self, fname, write=False, uid=None):
if uid: if uid:
pent = pwd.getpwnam(uid) pent = pwd.getpwnam(uid)
@@ -280,27 +341,35 @@ class CertDB(object):
return False return False
def create_ca_cert(self): def create_ca_cert(self):
# Generate the encryption key
self.run_certutil(["-G", "-z", self.noise_fname, "-f", self.passwd_fname])
# Generate the self-signed cert
p = subprocess.Popen(["/usr/bin/certutil", p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir, "-d", self.secdir,
"-S", "-n", self.cacert_name, "-S", "-n", self.cacert_name,
"-s", "cn=IPA Test Certificate Authority", "-s", "cn=IPA Test Certificate Authority",
"-x", "-x",
"-t", "CT,,C", "-t", "CT,,C",
"-1",
"-2", "-2",
"-m", self.next_serial(), "-5",
"-m", next_serial(),
"-v", self.valid_months, "-v", self.valid_months,
"-z", self.noise_fname, "-z", self.noise_fname,
"-f", self.passwd_fname], "-f", self.passwd_fname],
stdin=subprocess.PIPE, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stdout=subprocess.PIPE,
stderr=subprocess.PIPE) stderr=subprocess.PIPE)
# Create key usage extension
# 0 - Digital Signature
# 1 - Non-repudiation
# 5 - Cert signing key
# Is this a critical extension [y/N]? y
p.stdin.write("0\n1\n5\n9\ny\n")
# Create basic constraint extension
# Is this a CA certificate [y/N]? y # Is this a CA certificate [y/N]? y
# Enter the path length constraint, enter to skip [<0 for unlimited pat # Enter the path length constraint, enter to skip [<0 for unlimited pat
# Is this a critical extension [y/N]? y # Is this a critical extension [y/N]? y
p.stdin.write("y\n\n7\n") # 5 6 7 9 n -> SSL, S/MIME, Object signing CA
p.stdin.write("y\n\ny\n")
p.stdin.write("5\n6\n7\n9\nn\n")
p.wait() p.wait()
def export_ca_cert(self, nickname, create_pkcs12=False): def export_ca_cert(self, nickname, create_pkcs12=False):
@@ -310,9 +379,12 @@ class CertDB(object):
do that step.""" do that step."""
# export the CA cert for use with other apps # export the CA cert for use with other apps
ipautil.backup_file(self.cacert_fname) ipautil.backup_file(self.cacert_fname)
self.run_certutil(["-L", "-n", nickname, root_nicknames = self.find_root_cert(nickname)
"-a", fd = open(self.cacert_fname, "w")
"-o", self.cacert_fname]) for root in root_nicknames:
(cert, stderr) = self.run_certutil(["-L", "-n", root, "-a"])
fd.write(cert)
fd.close()
os.chmod(self.cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH) os.chmod(self.cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
if create_pkcs12: if create_pkcs12:
ipautil.backup_file(self.pk12_fname) ipautil.backup_file(self.pk12_fname)
@@ -324,10 +396,30 @@ class CertDB(object):
self.set_perms(self.pk12_fname) self.set_perms(self.pk12_fname)
def load_cacert(self, cacert_fname): def load_cacert(self, cacert_fname):
self.run_certutil(["-A", "-n", self.cacert_name, """
Load all the certificates from a given file. It is assumed that
this file creates CA certificates.
"""
fd = open(cacert_fname)
certs = fd.read()
fd.close()
st = 0
subid=0
while True:
try:
(cert, st) = find_cert_from_txt(certs, st)
if subid == 0:
nick = self.cacert_name
else:
nick = "%s sub %d" % (self.cacert_name, subid)
subid = subid + 1
self.run_certutil(["-A", "-n", nick,
"-t", "CT,,C", "-t", "CT,,C",
"-a", "-a"],
"-i", cacert_fname]) stdin=cert)
except RuntimeError:
break
def get_cert_from_db(self, nickname): def get_cert_from_db(self, nickname):
try: try:
@@ -384,6 +476,7 @@ class CertDB(object):
def request_cert(self, subject, certtype="rsa", keysize="2048"): def request_cert(self, subject, certtype="rsa", keysize="2048"):
self.create_noise_file() self.create_noise_file()
self.setup_cert_request()
args = ["-R", "-s", subject, args = ["-R", "-s", subject,
"-o", self.certreq_fname, "-o", self.certreq_fname,
"-k", certtype, "-k", certtype,
@@ -398,13 +491,14 @@ class CertDB(object):
return (stdout, stderr) return (stdout, stderr)
def issue_server_cert(self, certreq_fname, cert_fname): def issue_server_cert(self, certreq_fname, cert_fname):
self.setup_cert_request()
if self.self_signed_ca: if self.self_signed_ca:
p = subprocess.Popen(["/usr/bin/certutil", p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir, "-d", self.secdir,
"-C", "-c", self.cacert_name, "-C", "-c", self.cacert_name,
"-i", certreq_fname, "-i", certreq_fname,
"-o", cert_fname, "-o", cert_fname,
"-m", self.next_serial(), "-m", next_serial(),
"-v", self.valid_months, "-v", self.valid_months,
"-f", self.passwd_fname, "-f", self.passwd_fname,
"-1", "-5"], "-1", "-5"],
@@ -469,7 +563,12 @@ class CertDB(object):
# The result is an XML blob. Pull the certificate out of that # The result is an XML blob. Pull the certificate out of that
doc = xml.dom.minidom.parseString(data) doc = xml.dom.minidom.parseString(data)
item_node = doc.getElementsByTagName("b64") item_node = doc.getElementsByTagName("b64")
try:
try:
cert = item_node[0].childNodes[0].data cert = item_node[0].childNodes[0].data
except IndexError:
raise RuntimeError("Certificate issuance failed")
finally:
doc.unlink() doc.unlink()
conn.close() conn.close()
@@ -482,13 +581,14 @@ class CertDB(object):
return return
def issue_signing_cert(self, certreq_fname, cert_fname): def issue_signing_cert(self, certreq_fname, cert_fname):
self.setup_cert_request()
if self.self_signed_ca: if self.self_signed_ca:
p = subprocess.Popen(["/usr/bin/certutil", p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir, "-d", self.secdir,
"-C", "-c", self.cacert_name, "-C", "-c", self.cacert_name,
"-i", certreq_fname, "-i", certreq_fname,
"-o", cert_fname, "-o", cert_fname,
"-m", self.next_serial(), "-m", next_serial(),
"-v", self.valid_months, "-v", self.valid_months,
"-f", self.passwd_fname, "-f", self.passwd_fname,
"-1", "-5"], "-1", "-5"],
@@ -565,10 +665,13 @@ class CertDB(object):
return return
def add_cert(self, cert_fname, nickname): def add_cert(self, cert_fname, nickname):
"""
Load a certificate from a PEM file and add minimal trust.
"""
args = ["-A", "-n", nickname, args = ["-A", "-n", nickname,
"-t", "u,u,u", "-t", "u,u,u",
"-i", cert_fname, "-i", cert_fname,
"-f", cert_fname] "-f", self.passwd_fname]
if not self.self_signed_ca: if not self.self_signed_ca:
args.append("-a") args.append("-a")
self.run_certutil(args) self.run_certutil(args)
@@ -600,21 +703,38 @@ class CertDB(object):
self.set_perms(self.pwd_conf, uid="apache") self.set_perms(self.pwd_conf, uid="apache")
def find_root_cert(self, nickname): def find_root_cert(self, nickname):
"""
Given a nickname, return a list of the certificates that make up
the trust chain.
"""
root_nicknames = []
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-O", "-n", nickname], stdout=subprocess.PIPE) "-O", "-n", nickname], stdout=subprocess.PIPE)
chain = p.stdout.read() chain = p.stdout.read()
chain = chain.split("\n") chain = chain.split("\n")
root_nickname = re.match('\ *"(.*)" \[.*', chain[0]).groups()[0] for c in chain:
m = re.match('\s*"(.*)" \[.*', c)
if m:
root_nicknames.append(m.groups()[0])
if len(root_nicknames) > 1:
# If you pass in the name of a CA to get the chain it may only
# return 1 (self-signed). Return that.
try:
root_nicknames.remove(nickname)
except ValueError:
# The nickname wasn't in the list
pass
# Try to work around a change in the F-11 certutil where untrusted # Try to work around a change in the F-11 certutil where untrusted
# CA's are not shown in the chain. This will make a default IPA # CA's are not shown in the chain. This will make a default IPA
# server installable. # server installable.
if root_nickname is None and self.self_signed_ca: if len(root_nicknames) == 0 and self.self_signed_ca:
return self.cacert_name return [self.cacert_name]
return root_nickname return root_nicknames
def find_root_cert_from_pkcs12(self, pkcs12_fname, passwd_fname=None): def find_root_cert_from_pkcs12(self, pkcs12_fname, passwd_fname=None):
"""Given a PKCS#12 file, try to find any certificates that do """Given a PKCS#12 file, try to find any certificates that do
@@ -723,11 +843,11 @@ class CertDB(object):
newca = f.readlines() newca = f.readlines()
f.close() f.close()
newca = "".join(newca) newca = "".join(newca)
newca = self.find_cert_from_txt(newca) (newca, st) = find_cert_from_txt(newca)
cacert = self.get_cert_from_db(self.cacert_name) cacert = self.get_cert_from_db(self.cacert_name)
if cacert != '': if cacert != '':
cacert = self.find_cert_from_txt(cacert) (cacert, st) = find_cert_from_txt(cacert)
if newca == cacert: if newca == cacert:
return return
@@ -765,11 +885,11 @@ class CertDB(object):
raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
self.cacert_name = ca_names[0] self.cacert_name = ca_names[0]
for nickname in ca_names: for ca in ca_names:
self.trust_root_cert(nickname) self.trust_root_cert(ca)
self.create_pin_file() self.create_pin_file()
self.export_ca_cert(self.cacert_name, False) self.export_ca_cert(nickname, False)
self.self_signed_ca=False self.self_signed_ca=False
# This file implies that we have our own self-signed CA. Ensure # This file implies that we have our own self-signed CA. Ensure

14
ipaserver/install/dsinstance.py
View File

@@ -35,7 +35,8 @@ import certs
import ldap import ldap
from ipaserver import ipaldap from ipaserver import ipaldap
from ipaserver.install import ldapupdate from ipaserver.install import ldapupdate
from ipalib import util, errors from ipaserver.install import httpinstance
from ipalib import util
SERVER_ROOT_64 = "/usr/lib64/dirsrv" SERVER_ROOT_64 = "/usr/lib64/dirsrv"
SERVER_ROOT_32 = "/usr/lib/dirsrv" SERVER_ROOT_32 = "/usr/lib/dirsrv"
@@ -328,12 +329,15 @@ class DsInstance(service.Service):
nickname = server_certs[0][0] nickname = server_certs[0][0]
else: else:
nickname = "Server-Cert" nickname = "Server-Cert"
cadb = certs.CertDB(httpinstance.NSS_DIR, host_name=self.host_name)
if self.self_signed_ca: if self.self_signed_ca:
dsdb.create_self_signed() cadb.create_self_signed()
dsdb.create_server_cert("Server-Cert", self.host_name) dsdb.create_from_cacert(cadb.cacert_fname)
dsdb.create_server_cert("Server-Cert", self.host_name, cadb)
dsdb.create_pin_file()
else: else:
cadb = certs.CertDB("/etc/httpd/alias", host_name=self.host_name) # FIXME, need to set this nickname in the RA plugin
cadb.export_ca_cert(cadb.cacert_name, False) cadb.export_ca_cert('ipaCert', False)
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
dsdb.create_server_cert("Server-Cert", self.host_name, cadb) dsdb.create_server_cert("Server-Cert", self.host_name, cadb)
dsdb.create_pin_file() dsdb.create_pin_file()

32
ipaserver/install/httpinstance.py
View File

@@ -65,7 +65,6 @@ class HTTPInstance(service.Service):
self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
self.step("Setting mod_nss port to 443", self.__set_mod_nss_port) self.step("Setting mod_nss port to 443", self.__set_mod_nss_port)
if not self_signed_ca:
self.step("Setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("Setting mod_nss password file", self.__set_mod_nss_passwordfile)
self.step("Adding URL rewriting rules", self.__add_include) self.step("Adding URL rewriting rules", self.__add_include)
self.step("configuring httpd", self.__configure_http) self.step("configuring httpd", self.__configure_http)
@@ -158,7 +157,7 @@ class HTTPInstance(service.Service):
def __setup_ssl(self): def __setup_ssl(self):
if self.self_signed_ca: if self.self_signed_ca:
ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) ca_db = certs.CertDB(NSS_DIR)
else: else:
ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn) ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn)
db = certs.CertDB(NSS_DIR) db = certs.CertDB(NSS_DIR)
@@ -176,6 +175,7 @@ class HTTPInstance(service.Service):
else: else:
if self.self_signed_ca: if self.self_signed_ca:
db.create_from_cacert(ca_db.cacert_fname) db.create_from_cacert(ca_db.cacert_fname)
db.create_password_conf()
db.create_server_cert("Server-Cert", self.fqdn, ca_db) db.create_server_cert("Server-Cert", self.fqdn, ca_db)
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
else: else:
@@ -184,14 +184,27 @@ class HTTPInstance(service.Service):
db.create_password_conf() db.create_password_conf()
# Fix the database permissions # Fix the database permissions
os.chmod(NSS_DIR + "/cert8.db", 0640) os.chmod(NSS_DIR + "/cert8.db", 0660)
os.chmod(NSS_DIR + "/key3.db", 0640) os.chmod(NSS_DIR + "/key3.db", 0660)
os.chmod(NSS_DIR + "/secmod.db", 0640) os.chmod(NSS_DIR + "/secmod.db", 0660)
os.chmod(NSS_DIR + "/pwdfile.txt", 0660)
pent = pwd.getpwnam("apache") pent = pwd.getpwnam("apache")
os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid ) os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid ) os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid ) os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid )
os.chown(NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
# Fix SELinux permissions on the database
ipautil.run(["/sbin/restorecon", NSS_DIR + "/cert8.db"])
ipautil.run(["/sbin/restorecon", NSS_DIR + "/key3.db"])
# In case this got generated as part of the install, reset the
# context
if ipautil.file_exists(certs.CA_SERIALNO):
ipautil.run(["/sbin/restorecon", certs.CA_SERIALNO])
os.chown(certs.CA_SERIALNO, 0, pent.pw_gid)
os.chmod(certs.CA_SERIALNO, 0664)
def __setup_autoconfig(self): def __setup_autoconfig(self):
prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict) prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
@@ -202,18 +215,19 @@ class HTTPInstance(service.Service):
# The signing cert is generated in __setup_ssl # The signing cert is generated in __setup_ssl
db = certs.CertDB(NSS_DIR) db = certs.CertDB(NSS_DIR)
pwdfile = open(db.passwd_fname)
pwd = pwdfile.read()
pwdfile.close()
tmpdir = tempfile.mkdtemp(prefix = "tmp-") tmpdir = tempfile.mkdtemp(prefix = "tmp-")
shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir) shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
db.run_signtool(["-k", "Signing-Cert", db.run_signtool(["-k", "Signing-Cert",
"-Z", "/usr/share/ipa/html/configure.jar", "-Z", "/usr/share/ipa/html/configure.jar",
"-e", ".html", "-e", ".html", "-p", pwd,
tmpdir]) tmpdir])
shutil.rmtree(tmpdir) shutil.rmtree(tmpdir)
def __publish_ca_cert(self): def __publish_ca_cert(self):
if self.self_signed_ca:
ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm)))
else:
ca_db = certs.CertDB(NSS_DIR) ca_db = certs.CertDB(NSS_DIR)
shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt") shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt")
os.chmod("/usr/share/ipa/html/ca.crt", 0444) os.chmod("/usr/share/ipa/html/ca.crt", 0444)

50
ipaserver/plugins/ra.py → ipaserver/plugins/dogtag.py
View File

@@ -20,39 +20,22 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
""" """
Backend plugin for IPA-RA. Backend plugin for RA using Dogtag.
The `ra` plugin provides access to the CA to issue, retrieve, and revoke
certificates via the following methods:
* `ra.check_request_status()` - check certificate request status.
* `ra.get_certificate()` - retrieve an existing certificate.
* `ra.request_certificate()` - request a new certificate.
* `ra.revoke_certificate()` - revoke a certificate.
* `ra.take_certificate_off_hold()` - take a certificate off hold.
""" """
from ipalib import api, SkipPluginModule from ipalib import api, SkipPluginModule
if api.env.enable_ra is not True: if api.env.ra_plugin != 'dogtag':
# In this case, abort loading this plugin module... # In this case, abort loading this plugin module...
raise SkipPluginModule(reason='env.enable_ra is not True') raise SkipPluginModule(reason='dogtag not selected as RA plugin')
import os, stat, subprocess import os
import array
import errno
import binascii
from httplib import HTTPConnection from httplib import HTTPConnection
from urllib import urlencode, quote from urllib import urlencode
from socket import gethostname from ipaserver.plugins import rabase
import socket import socket
from ipalib import Backend
from ipalib.errors import NetworkError from ipalib.errors import NetworkError
from ipaserver import servercore
from ipaserver import ipaldap
from ipalib.constants import TYPE_ERROR from ipalib.constants import TYPE_ERROR
from ipapython import nsslib from ipapython import nsslib
import nss.nss as nss import nss.nss as nss
import nss.ssl as ssl
from nss.error import NSPRError
import xml.dom.minidom import xml.dom.minidom
def get_xml_value(doc, tagname): def get_xml_value(doc, tagname):
@@ -62,7 +45,7 @@ def get_xml_value(doc, tagname):
except IndexError: except IndexError:
return None return None
class ra(Backend): class ra(rabase.rabase):
""" """
Request Authority backend plugin. Request Authority backend plugin.
""" """
@@ -110,29 +93,20 @@ class ra(Backend):
self.debug('request data %s', data) self.debug('request data %s', data)
return (status, reason, data) return (status, reason, data)
def _sslget(self, url, **kw): def _sslget(self, url, port, **kw):
""" """
Perform an HTTPS request Perform an HTTPS request
:param url: The URL to post to. :param url: The URL to post to.
:param kw: Keyword arguments to encode into POST body. :param kw: Keyword arguments to encode into POST body.
""" """
uri = 'https://%s:%d%s' % (self.env.ca_host, self.env.ca_ssl_port, url) uri = 'https://%s:%d%s' % (self.env.ca_host, port, url)
post = urlencode(kw) post = urlencode(kw)
self.info('sslget %r', uri) self.info('sslget %r', uri)
self.debug('sslget post %r', post) self.debug('sslget post %r', post)
argv = [
'/usr/bin/sslget',
'-n', self.ipa_certificate_nickname, # nickname
'-w', self.pwd_file, # pwfile
'-d', self.sec_dir, # dbdir
'-e', post, # post
'-r', url, # url
'%s:%d' % (self.env.ca_host, self.env.ca_ssl_port),
]
headers = {"Content-type": "application/x-www-form-urlencoded", headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain"} "Accept": "text/plain"}
conn = nsslib.NSSConnection(self.env.ca_host, self.env.ca_ssl_port, dbdir=self.sec_dir) conn = nsslib.NSSConnection(self.env.ca_host, port, dbdir=self.sec_dir)
conn.sslsock.set_client_auth_data_callback(nsslib.client_auth_data_callback, self.ipa_certificate_nickname, self.password, nss.get_default_certdb()) conn.sslsock.set_client_auth_data_callback(nsslib.client_auth_data_callback, self.ipa_certificate_nickname, self.password, nss.get_default_certdb())
conn.set_debuglevel(10) conn.set_debuglevel(10)
conn.request("POST", url, post, headers) conn.request("POST", url, post, headers)
@@ -194,6 +168,7 @@ class ra(Backend):
issued_certificate = None issued_certificate = None
(status, reason, stdout) = self._sslget( (status, reason, stdout) = self._sslget(
'/ca/agent/ca/displayBySerial', '/ca/agent/ca/displayBySerial',
self.env.ca_agent_port,
serialNumber=serial_number, serialNumber=serial_number,
xmlOutput='true', xmlOutput='true',
) )
@@ -229,6 +204,7 @@ class ra(Backend):
self.debug('%s.request_certificate()', self.fullname) self.debug('%s.request_certificate()', self.fullname)
certificate = None certificate = None
(status, reason, stdout) = self._sslget('/ca/ee/ca/profileSubmit', (status, reason, stdout) = self._sslget('/ca/ee/ca/profileSubmit',
self.env.ca_ee_port,
profileId='caRAserverCert', profileId='caRAserverCert',
cert_request_type=request_type, cert_request_type=request_type,
cert_request=csr, cert_request=csr,
@@ -292,6 +268,7 @@ class ra(Backend):
) )
response = {} response = {}
(status, reason, stdout) = self._sslget('/ca/agent/ca/doRevoke', (status, reason, stdout) = self._sslget('/ca/agent/ca/doRevoke',
self.env.ca_agent_port,
op='revoke', op='revoke',
revocationReason=revocation_reason, revocationReason=revocation_reason,
revokeAll='(certRecordId=%s)' % serial_number, revokeAll='(certRecordId=%s)' % serial_number,
@@ -316,6 +293,7 @@ class ra(Backend):
response = {} response = {}
self.debug('%s.take_certificate_off_hold()', self.fullname) self.debug('%s.take_certificate_off_hold()', self.fullname)
(status, reason, stdout) = self._sslget('/ca/agent/ca/doUnrevoke', (status, reason, stdout) = self._sslget('/ca/agent/ca/doUnrevoke',
self.env.ca_agent_port,
serialNumber=serial_number, serialNumber=serial_number,
) )
if (status == 0): if (status == 0):

113
ipaserver/plugins/rabase.py Normal file
View File

@@ -0,0 +1,113 @@
# Authors:
# Rob Crittenden <rcritten@@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
Backend plugin for RA activities.
The `ra` plugin provides access to the CA to issue, retrieve, and revoke
certificates via the following methods:
* `ra.check_request_status()` - check certificate request status.
* `ra.get_certificate()` - retrieve an existing certificate.
* `ra.request_certificate()` - request a new certificate.
* `ra.revoke_certificate()` - revoke a certificate.
* `ra.take_certificate_off_hold()` - take a certificate off hold.
"""
from ipalib import api
from ipalib import Backend
from ipalib import errors
from ipaserver.install import certs
import os
class rabase(Backend):
"""
Request Authority backend plugin.
"""
def __init__(self):
if api.env.home:
self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
self.pwd_file = self.sec_dir + os.sep + '.pwd'
self.serial_file = self.sec_dir + os.sep + 'ca_serialno'
else:
self.sec_dir = "/etc/httpd/alias"
self.pwd_file = "/etc/httpd/alias/pwdfile.txt"
self.serial_file = certs.CA_SERIALNO
super(rabase, self).__init__()
def check_request_status(self, request_id):
"""
Check status of a certificate signing request.
:param request_id: request ID
"""
raise errors.NotImplementedError(name='%s.check_request_status' % self.name)
def get_certificate(self, serial_number=None):
"""
Retrieve an existing certificate.
:param serial_number: certificate serial number
"""
raise errors.NotImplementedError(name='%s.check_request_status' % self.name)
def request_certificate(self, csr, request_type='pkcs10'):
"""
Submit certificate signing request.
:param csr: The certificate signing request.
:param request_type: The request type (defaults to ``'pkcs10'``).
"""
raise errors.NotImplementedError(name='%s.check_request_status' % self.name)
def revoke_certificate(self, serial_number, revocation_reason=0):
"""
Revoke a certificate.
The integer ``revocation_reason`` code must have one of these values:
* ``0`` - unspecified
* ``1`` - keyCompromise
* ``2`` - cACompromise
* ``3`` - affiliationChanged
* ``4`` - superseded
* ``5`` - cessationOfOperation
* ``6`` - certificateHold
* ``8`` - removeFromCRL
* ``9`` - privilegeWithdrawn
* ``10`` - aACompromise
Note that reason code ``7`` is not used. See RFC 5280 for more details:
http://www.ietf.org/rfc/rfc5280.txt
:param serial_number: Certificate serial number.
:param revocation_reason: Integer code of revocation reason.
"""
raise errors.NotImplementedError(name='%s.check_request_status' % self.name)
def take_certificate_off_hold(self, serial_number):
"""
Take revoked certificate off hold.
:param serial_number: Certificate serial number.
"""
raise errors.NotImplementedError('%s.check_request_status' % self.name)

126
ipaserver/plugins/selfsign.py Normal file
View File

@@ -0,0 +1,126 @@
# Authors:
# Rob Crittenden <rcritten@@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
Backend plugin for RA activities.
The `ra` plugin provides access to the CA to issue, retrieve, and revoke
certificates via the following methods:
* `ra.check_request_status()` - check certificate request status.
* `ra.get_certificate()` - retrieve an existing certificate.
* `ra.request_certificate()` - request a new certificate.
* `ra.revoke_certificate()` - revoke a certificate.
* `ra.take_certificate_off_hold()` - take a certificate off hold.
"""
from ipalib import api, SkipPluginModule
if api.env.ra_plugin != 'selfsign':
# In this case, abort loading this plugin module...
raise SkipPluginModule(reason='selfsign is not selected as RA plugin, it is %s' % api.env.ra_plugin)
from ipalib import Backend
from ipalib import errors
import subprocess
import os
from ipaserver.plugins import rabase
from ipaserver.install import certs
import tempfile
from OpenSSL import crypto
class ra(rabase.rabase):
"""
Request Authority backend plugin.
"""
def request_certificate(self, csr, request_type='pkcs10'):
"""
Submit certificate signing request.
:param csr: The certificate signing request.
:param request_type: The request type (defaults to ``'pkcs10'``).
"""
(csr_fd, csr_name) = tempfile.mkstemp()
os.write(csr_fd, csr)
os.close(csr_fd)
(cert_fd, cert_name) = tempfile.mkstemp()
os.close(cert_fd)
serialno = certs.next_serial(self.serial_file)
try:
args = [
"/usr/bin/certutil",
"-C",
"-d", self.sec_dir,
"-c", "CA certificate",
"-i", csr_name,
"-o", cert_name,
"-m", str(serialno),
"-v", "60",
"-1",
"-5",
"-6",
"-a",
"-f", self.pwd_file]
self.log.debug("issue cert: %s" % str(args))
p = subprocess.Popen(args,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE, close_fds=True)
p.stdin.write("0\n1\n2\n3\n9\ny\n")
p.stdin.write("0\n9\nn\n")
p.stdin.write("1\n9\nn\n")
(stdout, stderr) = p.communicate()
self.log.debug("stdout = %s" % stdout)
self.log.debug("stderr = %s" % stderr)
finally:
os.remove(csr_name)
try:
cert_fd = open(cert_name)
cert = cert_fd.read()
cert_fd.close()
finally:
os.remove(cert_name)
try:
# Grab the subject, reverse it, combine it and return it
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
sub = x509.get_subject().get_components()
sub.reverse()
subject = ""
for s in sub:
subject = subject + "%s=%s," % (s[0], s[1])
subject = subject[:-1]
serial = x509.get_serial_number()
except crypto.Error, e:
raise errors.GenericError(format='Unable to decode certificate in entry: %s' % str(e))
# To make it look like dogtag return just the base64 data.
cert = cert.replace('\n','')
cert = cert.replace('\r','')
s = cert.find('-----BEGIN CERTIFICATE-----')
e = cert.find('-----END CERTIFICATE-----')
s = s + 27
cert = cert[s:e]
return {'status':0, 'subject': subject, 'certificate':cert, 'serial': "0x%x" % serial}
api.register(ra)

6
selinux/ipa_httpd/ipa_httpd.te
View File

@@ -5,8 +5,10 @@ require {
type initrc_t; type initrc_t;
type var_run_t; type var_run_t;
type krb5kdc_t; type krb5kdc_t;
type cert_t;
class sock_file write; class sock_file write;
class unix_stream_socket connectto; class unix_stream_socket connectto;
class file write;
} }
# Let Apache and the KDC talk to DS over ldapi # Let Apache and the KDC talk to DS over ldapi
@@ -14,3 +16,7 @@ allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_t:unix_stream_socket connectto; allow httpd_t initrc_t:unix_stream_socket connectto;
allow krb5kdc_t var_run_t:sock_file write; allow krb5kdc_t var_run_t:sock_file write;
allow krb5kdc_t initrc_t:unix_stream_socket connectto; allow krb5kdc_t initrc_t:unix_stream_socket connectto;
# Let Apache access the NSS certificate database so it can issue certs
# See ipa_httpd.fe for the list of files that are granted write access
allow httpd_t cert_t:file write;