Require an imported certificate's issuer to match our issuer.

The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2025-02-25 18:55:28 -06:00 · 2011-04-26 16:45:19 -04:00
parent ed7a3e005a
commit a2a3782efb
7 changed files with 228 additions and 37 deletions
--- a/1
+++ b/1
@@ -82,6 +82,7 @@ lint:
 test:
 	$(MAKE) -C install/po test_lang
 	./make-testcert
 	./make-test
 release-update:
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -85,6 +85,7 @@ from ipalib.plugins.service import normalize_certificate
 from ipalib.plugins.service import set_certificate_attrs
 from ipalib.plugins.service import make_pem, check_writable_file
 from ipalib.plugins.service import write_certificate
 from ipalib.plugins.service import verify_cert_subject
 from ipalib.plugins.dns import dns_container_exists, _record_types
 from ipalib.plugins.dns import add_forward_record
 from ipalib import _, ngettext
@@ -400,6 +401,11 @@ class host_add(LDAPCreate):
                # save the password so it can be displayed in post_callback
                setattr(context, 'randompassword', entry_attrs['userpassword'])
            del entry_attrs['random']
        cert = options.get('usercertificate')
        if cert:
            cert = normalize_certificate(cert)
            verify_cert_subject(ldap, keys[-1], cert)
            entry_attrs['usercertificate'] = cert
        entry_attrs['managedby'] = dn
        return dn
@@ -600,6 +606,7 @@ class host_mod(LDAPUpdate):
                entry_attrs['objectclass'] = obj_classes
        cert = normalize_certificate(entry_attrs.get('usercertificate'))
        if cert:
            verify_cert_subject(ldap, keys[-1], cert)
            (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
            if 'usercertificate' in entry_attrs_old:
                oldcert = normalize_certificate(entry_attrs_old.get('usercertificate')[0])
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -206,6 +206,25 @@ def normalize_certificate(cert):
    return cert
 def verify_cert_subject(ldap, hostname, cert):
    """
    Verify that the certificate issuer we're adding matches the issuer
    base of our installation.
    This assumes the certificate has already been normalized.
    This raises an exception on errors and returns nothing otherwise.
    """
    cert = x509.load_certificate(cert, datatype=x509.DER)
    subject = str(cert.subject)
    issuer = str(cert.issuer)
    # Handle both supported forms of issuer, from selfsign and dogtag.
    if ((issuer != 'CN=%s Certificate Authority' % api.env.realm) and
        (issuer != 'CN=Certificate Authority,O=%s' % api.env.realm)):
        raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
        {'issuer' : issuer})
 def set_certificate_attrs(entry_attrs):
    """
    Set individual attributes from some values from a certificate.
@@ -342,7 +361,9 @@ class service_add(LDAPCreate):
        cert = options.get('usercertificate')
        if cert:
-            entry_attrs['usercertificate'] = normalize_certificate(cert)
+            cert = normalize_certificate(cert)
            verify_cert_subject(ldap, hostname, cert)
            entry_attrs['usercertificate'] = cert
        if not options.get('force', False):
             # We know the host exists if we've gotten this far but we
@@ -406,9 +427,11 @@ class service_mod(LDAPUpdate):
    def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
        if 'usercertificate' in options:
            (service, hostname, realm) = split_principal(keys[-1])
            cert = options.get('usercertificate')
            cert = normalize_certificate(cert)
            if cert:
                cert = normalize_certificate(cert)
                verify_cert_subject(ldap, hostname, cert)
                (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
                if 'usercertificate' in entry_attrs_old:
                    # FIXME: what to do here? do we revoke the old cert?
--- a/135
+++ b/135
@@ -0,0 +1,135 @@
 #!/usr/bin/python
 #
 # Authors:
 #   Rob Crittenden <rcritten@redhat.com>
 #
 # Copyright (C) 2011  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 Generate a custom certificate used in the service unit tests. The certificate
 will be created in tests/test_xmlrpc/service.crt
 """
 import sys
 import os
 import tempfile
 import shutil
 import nss.nss as nss
 from ipalib import api, x509, backend, errors
 from ipaserver.plugins import rabase
 from ipapython import ipautil
 CERTPATH = 'tests/test_xmlrpc/service.crt'
 def run_certutil(reqdir, args, stdin=None):
    """
    Run an NSS certutil command
    """
    new_args = ["/usr/bin/certutil", "-d", reqdir]
    new_args = new_args + args
    return ipautil.run(new_args, stdin)
 def generateCSR(reqdir, pwname, subject):
    """
    Create a CSR for the given subject.
    """
    run_certutil(reqdir, ["-R", "-s", subject,
                       "-o", '%s/req' % reqdir,
                       "-z", "/etc/group",
                       "-f", pwname,
                       "-a",
                       ])
    fp = open('%s/req' % reqdir, "r")
    data = fp.read()
    fp.close()
    return data
 class client(backend.Executioner):
    """
    A simple-minded IPA client that can execute remote commands.
    """
    def run(self, method, *args, **options):
        self.create_context()
        result = self.execute(method, *args, **options)
        return result
 def makecert(reqdir):
    """
    Generate a service certificate that can be used during unit testing.
    """
    cfg = dict(
        context='cli',
        in_server=False,
        debug=False,
        verbose=0,
    )
    api.bootstrap(**cfg)
    api.register(client)
    api.finalize()
    # This needs to be imported after the API is initialized
    from ipalib.plugins.service import make_pem
    ra = rabase.rabase()
    if not os.path.exists(ra.sec_dir) and api.env.xmlrpc_uri == 'http://localhost:8888/ipa/xml':
        sys.exit('The in-tree self-signed CA is not configured, see tests/test_xmlrpc/test_cert.py')
    pwname = reqdir + "/pwd"
    # Create an empty password file
    fp = open(pwname, "w")
    fp.write("\n")
    fp.close()
    # Generate NSS cert database to store the private key for our CSR
    run_certutil(reqdir, ["-N", "-f", pwname])
    cert = None
    subject = 'CN=%s,O=%s' % (api.env.host, api.env.realm)
    princ = 'unittest/%s@%s' % (api.env.host, api.env.realm)
    csr = unicode(generateCSR(reqdir, pwname, subject))
    try:
        res = api.Backend.client.run('cert_request', csr, principal=princ,
            add=True)
        cert = make_pem(res['result']['certificate'])
        fd = open(CERTPATH, 'w')
        fd.write(cert)
        fd.close()
    except errors.NotFound:
        return "certificate request failed"
    except errors.CommandError:
        return "You need to set enable_ra=True in ~/.ipa/default.conf"
    nss.nss_init_nodb()
    c = x509.load_certificate(cert, x509.PEM)
    print c
    return 0
 reqdir = None
 if os.path.exists(CERTPATH):
    print "Test certificate %s exists, skipping." % CERTPATH
    sys.exit(0)
 try:
    reqdir = tempfile.mkdtemp(prefix = "tmp-")
    sys.exit(makecert(reqdir))
 finally:
    shutil.rmtree(reqdir)
--- a/tests/test_xmlrpc/test_host_plugin.py
+++ b/tests/test_xmlrpc/test_host_plugin.py
@@ -22,8 +22,9 @@
 Test the `ipalib.plugins.host` module.
 """
-from ipalib import api, errors
+from ipalib import api, errors, x509
-from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid
+from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_digits
 from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date
 from tests.test_xmlrpc import objectclasses
 import base64
@@ -39,8 +40,12 @@ fqdn3 = u'testhost2.%s' % api.env.domain
 short3 = u'testhost2'
 dn3 = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn3, api.env.basedn)
-servercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
+# We can use the same cert we generated for the service tests
-
+fd = open('tests/test_xmlrpc/service.crt', 'r')
 servercert = fd.readlines()
 servercert = ''.join(servercert)
 servercert = x509.strip_header(servercert)
 fd.close()
 class test_host(Declarative):
@@ -225,13 +230,13 @@ class test_host(Declarative):
                    krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                    managedby_host=[u'%s' % fqdn1],
                    usercertificate=[base64.b64decode(servercert)],
-                    valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
+                    valid_not_before=fuzzy_date,
-                    valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
+                    valid_not_after=fuzzy_date,
-                    subject=u'CN=puma.greyoak.com,O=IPA',
+                    subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm),
-                    serial_number=u'1022',
+                    serial_number=fuzzy_digits,
-                    md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09',
+                    md5_fingerprint=fuzzy_hash,
-                    sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11',
+                    sha1_fingerprint=fuzzy_hash,
-                    issuer=u'CN=IPA Test Certificate Authority',
+                    issuer=u'CN=%s Certificate Authority' % api.env.realm,
                ),
            ),
        ),
@@ -252,13 +257,13 @@ class test_host(Declarative):
                    has_keytab=False,
                    managedby_host=[u'%s' % fqdn1],
                    usercertificate=[base64.b64decode(servercert)],
-                    valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
+                    valid_not_before=fuzzy_date,
-                    valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
+                    valid_not_after=fuzzy_date,
-                    subject=u'CN=puma.greyoak.com,O=IPA',
+                    subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm),
-                    serial_number=u'1022',
+                    serial_number=fuzzy_digits,
-                    md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09',
+                    md5_fingerprint=fuzzy_hash,
-                    sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11',
+                    sha1_fingerprint=fuzzy_hash,
-                    issuer=u'CN=IPA Test Certificate Authority',
+                    issuer=u'CN=%s Certificate Authority' % api.env.realm,
                ),
            ),
        ),
--- a/tests/test_xmlrpc/test_service_plugin.py
+++ b/tests/test_xmlrpc/test_service_plugin.py
@@ -21,8 +21,9 @@
 Test the `ipalib/plugins/service.py` module.
 """
-from ipalib import api, errors
+from ipalib import api, errors, x509
-from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid
+from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
 from tests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date
 from tests.test_xmlrpc import objectclasses
 import base64
@@ -37,7 +38,13 @@ host1dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn1, api.env.basedn)
 host2dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn2, api.env.basedn)
 host3dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn3.lower(), api.env.basedn)
-servercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
+fd = open('tests/test_xmlrpc/service.crt', 'r')
 servercert = fd.readlines()
 servercert = ''.join(servercert)
 servercert = x509.strip_header(servercert)
 fd.close()
 badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
 class test_host(Declarative):
@@ -345,6 +352,13 @@ class test_host(Declarative):
        ),
        dict(
            desc='Update %r with a bad certificate' % service1,
            command=('service_mod', [service1], dict(usercertificate=badservercert)),
            expected=errors.CertificateOperationError(error='exact error msg not needed'),
        ),
        dict(
            desc='Update %r' % service1,
            command=('service_mod', [service1], dict(usercertificate=servercert)),
@@ -355,13 +369,13 @@ class test_host(Declarative):
                    usercertificate=[base64.b64decode(servercert)],
                    krbprincipalname=[service1],
                    managedby_host=[fqdn1],
-                    valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
+                    valid_not_before=fuzzy_date,
-                    valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
+                    valid_not_after=fuzzy_date,
-                    subject=u'CN=puma.greyoak.com,O=IPA',
+                    subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm),
-                    serial_number=u'1022',
+                    serial_number=fuzzy_digits,
-                    md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09',
+                    md5_fingerprint=fuzzy_hash,
-                    sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11',
+                    sha1_fingerprint=fuzzy_hash,
-                    issuer=u'CN=IPA Test Certificate Authority',
+                    issuer=u'CN=%s Certificate Authority' % api.env.realm,
                ),
            ),
        ),
@@ -381,13 +395,13 @@ class test_host(Declarative):
                    managedby_host=[fqdn1],
                    # These values come from the servercert that is in this
                    # test case.
-                    valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
+                    valid_not_before=fuzzy_date,
-                    valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
+                    valid_not_after=fuzzy_date,
-                    subject=u'CN=puma.greyoak.com,O=IPA',
+                    subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm),
-                    serial_number=u'1022',
+                    serial_number=fuzzy_digits,
-                    md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09',
+                    md5_fingerprint=fuzzy_hash,
-                    sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11',
+                    sha1_fingerprint=fuzzy_hash,
-                    issuer=u'CN=IPA Test Certificate Authority',
+                    issuer=u'CN=%s Certificate Authority' % api.env.realm,
                ),
            ),
        ),
--- a/tests/test_xmlrpc/xmlrpc_test.py
+++ b/tests/test_xmlrpc/xmlrpc_test.py
@@ -44,6 +44,12 @@ fuzzy_netgroupdn = Fuzzy(
    'ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},cn=ng,cn=alt,%s' % api.env.basedn
 )
 # Matches a hash signature, not enforcing length
 fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=basestring)
 # Matches a date, like Tue Apr 26 17:45:35 2016 UTC
 fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
 try:
    if not api.Backend.xmlclient.isconnected():
        api.Backend.xmlclient.connect(fallback=False)