Use Realm as certs subject base name

Also use the realm name as nickname for the CA certificate
2025-02-25 18:55:28 -06:00 · 2010-11-01 13:51:14 -04:00
parent 775fc23738
commit 74ba0cc7c1
12 changed files with 53 additions and 39 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -36,7 +36,7 @@ import urllib
 import xml.dom.minidom
 import stat
 from ipapython import dogtag
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
 from ipalib import pkcs10
 import subprocess

@@ -365,8 +365,9 @@ class CAInstance(service.Service):
       2 = have signed cert, continue installation
    """

-    def __init__(self):
+    def __init__(self, realm):
        service.Service.__init__(self, "pki-cad")
+        self.realm = realm
        self.pki_user = "pkiuser"
        self.dm_password = None
        self.admin_password = None
@@ -382,7 +383,7 @@ class CAInstance(service.Service):
        # The same database is used for mod_nss because the NSS context
        # will already have been initialized by Apache by the time
        # mod_python wants to do things.
-        self.canickname = CA_NICKNAME
+        self.canickname = get_ca_nickname(realm)
        self.basedn = "o=ipaca"
        self.ca_agent_db = tempfile.mkdtemp(prefix = "tmp-")
        self.ra_agent_db = "/etc/httpd/alias"
@@ -400,7 +401,7 @@ class CAInstance(service.Service):
                           admin_password, ds_port=DEFAULT_DSPORT,
                           pkcs12_info=None, master_host=None, csr_file=None,
                           cert_file=None, cert_chain_file=None,
-                           subject_base="O=IPA"):
+                           subject_base=None):
        """Create a CA instance. This may involve creating the pki-ca instance
           dogtag instance.

@@ -420,7 +421,10 @@ class CAInstance(service.Service):
        if self.pkcs12_info is not None:
            self.clone = True
        self.master_host = master_host
-        self.subject_base = subject_base
+        if subject_base is None:
+            self.subject_base = "O=%s" % self.realm
+        else:
+            self.subject_base = subject_base

        # Determine if we are installing as an externally-signed CA and
        # what stage we're in.
@@ -1000,5 +1004,5 @@ if __name__ == "__main__":
    installutils.standard_logging_setup("install.log", False)
    cs = CADSInstance()
    cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password")
-    ca = CAInstance()
+    ca = CAInstance("EXAMPLE.COM")
    ca.configure_instance("pkiuser", "catest.example.com", "password", "password")
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -33,7 +33,7 @@ from ipapython import dogtag
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython import certmonger
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
 from ipalib import pkcs10
 from ConfigParser import RawConfigParser, MissingSectionHeaderError
 import service
@@ -163,8 +163,9 @@ def next_replica(serial_file=CA_SERIALNO):
    return str(serial)

 class CertDB(object):
-    def __init__(self, nssdir, fstore=None, host_name=None, subject_base=None):
+    def __init__(self, nssdir, realm, fstore=None, host_name=None, subject_base=None):
        self.secdir = nssdir
+        self.realm = realm

        self.noise_fname = self.secdir + "/noise.txt"
        self.passwd_fname = self.secdir + "/pwdfile.txt"
@@ -191,7 +192,7 @@ class CertDB(object):
        else:
            self.subject_format = "CN=%s,O=IPA"

-        self.cacert_name = CA_NICKNAME
+        self.cacert_name = get_ca_nickname(self.realm)
        self.valid_months = "120"
        self.keysize = "1024"

@@ -345,10 +346,11 @@ class CertDB(object):

    def create_ca_cert(self):
        os.chdir(self.secdir)
+        subject = "cn=%s Certificate Authority" % self.realm
        p = subprocess.Popen(["/usr/bin/certutil",
                              "-d", self.secdir,
                              "-S", "-n", self.cacert_name,
-                              "-s", "cn=IPA Test Certificate Authority",
+                              "-s", subject,
                              "-x",
                              "-t", "CT,,C",
                              "-1",
@@ -853,7 +855,10 @@ class CertDB(object):
            else:
                raise RuntimeError("unknown error import pkcs#12 file")

-    def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=CA_NICKNAME):
+    def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None):
+        if nickname is None:
+            nickname = get_ca_nickname(api.env.realm)
+
        ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
                     "-o", pkcs12_fname,
                     "-n", nickname,
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -404,7 +404,7 @@ class DsInstance(service.Service):

    def __enable_ssl(self):
        dirname = config_dirname(self.serverid)
-        dsdb = certs.CertDB(dirname, subject_base=self.subject_base)
+        dsdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
        if self.pkcs12_info:
            dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
            server_certs = dsdb.find_server_certs()
@@ -416,7 +416,7 @@ class DsInstance(service.Service):
            self.dercert = dsdb.get_cert_from_db(nickname)
        else:
            nickname = "Server-Cert"
-            cadb = certs.CertDB(httpinstance.NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
+            cadb = certs.CertDB(httpinstance.NSS_DIR, self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
            if self.self_signed_ca:
                cadb.create_self_signed()
                dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
@@ -529,7 +529,7 @@ class DsInstance(service.Service):
            # drop the trailing / off the config_dirname so the directory
            # will match what is in certmonger
            dirname = config_dirname(serverid)[:-1]
-            dsdb = certs.CertDB(dirname)
+            dsdb = certs.CertDB(dirname, self.realm_name)
            dsdb.untrack_server_cert("Server-Cert")
            erase_ds_instance_data(serverid)

@@ -571,7 +571,7 @@ class DsInstance(service.Service):
        self.stop()

        dirname = config_dirname(realm_to_serverid(self.realm_name))
-        certdb = certs.CertDB(dirname, subject_base=self.subject_base)
+        certdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
        if not cacert_name or len(cacert_name) == 0:
            cacert_name = "Imported CA"
        # we can't pass in the nickname, so we set the instance variable
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -30,7 +30,7 @@ import dsinstance
 import installutils
 from ipapython import sysrestore
 from ipapython import ipautil
-from ipalib import util
+from ipalib import util, api

 HTTPD_DIR = "/etc/httpd"
 SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
@@ -164,10 +164,10 @@ class HTTPInstance(service.Service):

    def __setup_ssl(self):
        if self.self_signed_ca:
-            ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+            ca_db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
        else:
-            ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
-        db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+            ca_db = certs.CertDB(NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base)
+        db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
        if self.pkcs12_info:
            db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
            server_certs = db.find_server_certs()
@@ -223,7 +223,7 @@ class HTTPInstance(service.Service):
        prefs_fd.close()

        # The signing cert is generated in __setup_ssl
-        db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+        db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)

        pwdfile = open(db.passwd_fname)
        pwd = pwdfile.read()
@@ -238,7 +238,7 @@ class HTTPInstance(service.Service):
        shutil.rmtree(tmpdir)

    def __publish_ca_cert(self):
-        ca_db = certs.CertDB(NSS_DIR)
+        ca_db = certs.CertDB(NSS_DIR, self.realm)
        shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt")
        os.chmod("/usr/share/ipa/html/ca.crt", 0444)

@@ -252,7 +252,7 @@ class HTTPInstance(service.Service):
        if not running is None:
            self.stop()

-        db = certs.CertDB(NSS_DIR)
+        db = certs.CertDB(NSS_DIR, api.env.realm)
        db.untrack_server_cert("Server-Cert")
        if not enabled is None and not enabled:
            self.chkconfig_off()
--- a/ipaserver/plugins/selfsign.py
+++ b/ipaserver/plugins/selfsign.py
@@ -39,7 +39,7 @@ from ipalib import Backend
 from ipalib import errors
 from ipalib import x509
 from ipalib import pkcs10
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
 import subprocess
 import os
 import re
@@ -47,6 +47,7 @@ from ipaserver.plugins import rabase
 from ipaserver.install import certs
 import tempfile
 from ipalib import  _
+from ipalib import  api
 from ipalib.plugins.cert import get_csr_hostname
 from nss.error import NSPRError

@@ -157,7 +158,7 @@ class ra(rabase.rabase):
                "/usr/bin/certutil",
                "-C",
                "-d", self.sec_dir,
-                "-c", CA_NICKNAME,
+                "-c", get_ca_nickname(api.env.realm),
                "-i", csr_name,
                "-o", cert_name,
                "-m", str(serialno),