IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-11 00:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use NSSDatabase instead of direct certutil calls in client code

Browse Source 
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-09-18 12:00:15 +02:00 committed by Martin Kosek
parent b764e9d3e6
commit bbf962299d
3 changed files with 26 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
ipa-client/ipa-install/ipa-client-install
View File

@ -226,14 +226,6 @@ def logging_setup(options):
def log_service_error(name, action, error):
root_logger.error("%s failed to %s: %s", name, action, str(error))
def nickname_exists(nickname):
(sout, serr, returncode) = run([paths.CERTUTIL, "-L", "-d", paths.NSS_DB_DIR, "-n", nickname], raiseonerr=False)
if returncode == 0:
return True
else:
return False
def purge_ipa_certs(additional=[]):
filename = paths.NSSDB_IPA_TXT
if file_exists(filename):
@ -258,12 +250,11 @@ def purge_ipa_certs(additional=[]):
if nickname:
nicknames.add(nickname)
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
for nickname in nicknames:
while nickname_exists(nickname):
while sys_db.has_nickname(nickname):
try:
run([paths.CERTUTIL, "-D",
"-d", paths.NSS_DB_DIR,
"-n", nickname])
sys_db.delete_cert(nickname)
except Exception, e:
root_logger.error(
"Failed to remove %s from /etc/pki/nssdb: %s", nickname, e)
@ -2533,23 +2524,16 @@ def install(options, env, fstore, statestore):
except ValueError:
pass
tmp_nss_dir = tempfile.mkdtemp()
try:
with certdb.NSSDatabase() as tmp_db:
# Add CA certs to a temporary NSS database
try:
pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
run([paths.CERTUTIL, '-N',
'-d', tmp_nss_dir,
'-f', pwd_file.name])
tmp_db.create_db(pwd_file.name)
ca_certs = x509.load_certificate_list_from_file(CACERT)
ca_certs = [cert.der_data for cert in ca_certs]
for i, cert in enumerate(ca_certs):
run([paths.CERTUTIL, '-A',
'-d', tmp_nss_dir,
'-n', 'CA certificate %d' % (i + 1),
'-t', 'C,,'],
stdin=cert)
tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
except CalledProcessError, e:
root_logger.info("Failed to add CA to temporary NSS database.")
return CLIENT_INSTALL_ERROR
@ -2557,7 +2541,7 @@ def install(options, env, fstore, statestore):
# Now, let's try to connect to the server's RPC interface
connected = False
try:
api.Backend.rpcclient.connect(nss_dir=tmp_nss_dir)
api.Backend.rpcclient.connect(nss_dir=tmp_db.secdir)
connected = True
root_logger.debug("Try RPC connection")
api.Backend.rpcclient.forward('ping')
@ -2569,7 +2553,7 @@ def install(options, env, fstore, statestore):
"Trying with delegate=True", e)
try:
api.Backend.rpcclient.connect(delegate=True,
nss_dir=tmp_nss_dir)
nss_dir=tmp_db.secdir)
root_logger.debug("Try RPC connection")
api.Backend.rpcclient.forward('ping')
@ -2594,8 +2578,6 @@ def install(options, env, fstore, statestore):
root_logger.error(
"Cannot connect to the server due to generic error: %s", e)
return CLIENT_INSTALL_ERROR
finally:
shutil.rmtree(tmp_nss_dir)
# Use the RPC directly so older servers are supported
result = api.Backend.rpcclient.forward(
@ -2622,14 +2604,10 @@ def install(options, env, fstore, statestore):
# Add the CA certificates to the IPA NSS database
root_logger.debug("Adding CA certificates to the IPA NSS database.")
ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
for cert, nickname, trust_flags in ca_certs_trust:
try:
run([paths.CERTUTIL,
"-A",
"-d", paths.IPA_NSSDB_DIR,
"-n", nickname,
"-t", trust_flags],
stdin=cert)
ipa_db.add_cert(cert, nickname, trust_flags)
except CalledProcessError, e:
root_logger.error(
"Failed to add %s to the IPA NSS database.", nickname)
@ -2653,14 +2631,10 @@ def install(options, env, fstore, statestore):
root_logger.debug(
"Attempting to add CA certificates to the default NSS database.")
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
for cert, nickname, trust_flags in ca_certs_trust:
try:
run([paths.CERTUTIL,
"-A",
"-d", paths.NSS_DB_DIR,
"-n", nickname,
"-t", trust_flags],
stdin=cert)
sys_db.add_cert(cert, nickname, trust_flags)
except CalledProcessError, e:
root_logger.error(
"Failed to add %s to the default NSS database.", nickname)

14
ipa-client/ipaclient/ipa_certupdate.py
View File

@ -22,7 +22,7 @@ import tempfile
import shutil
from ipapython import (admintool, ipautil, ipaldap, sysrestore, dogtag,
certmonger)
certmonger, certdb)
from ipaplatform import services
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
@ -72,11 +72,10 @@ class CertUpdate(admintool.AdminTool):
self.update_file(paths.IPA_CA_CRT, certs)
self.update_db(paths.IPA_NSSDB_DIR, certs)
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
for nickname in ('IPA CA', 'External CA cert'):
try:
ipautil.run([paths.CERTUTIL, '-D',
'-d', paths.NSS_DB_DIR,
'-n', nickname])
sys_db.delete_cert(nickname)
except ipautil.CalledProcessError, e:
pass
@ -165,15 +164,12 @@ class CertUpdate(admintool.AdminTool):
self.log.error("failed to update %s: %s", filename, e)
def update_db(self, path, certs):
db = certdb.NSSDatabase(path)
for cert, nickname, trusted, eku in certs:
trust_flags = certstore.key_policy_to_trust_flags(
trusted, True, eku)
try:
ipautil.run([paths.CERTUTIL, '-A',
'-d', path,
'-n', nickname,
'-t', trust_flags],
stdin=cert)
db.add_cert(cert, nickname, trust_flags)
except ipautil.CalledProcessError, e:
self.log.error(
"failed to update %s in %s: %s", nickname, path, e)

20
ipapython/certdb.py
View File

@ -36,24 +36,22 @@ def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
def create_ipa_nssdb():
pwdfile = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
db = NSSDatabase(paths.IPA_NSSDB_DIR)
pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
ipautil.backup_file(pwdfile)
ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'))
ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'))
ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'))
ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
with open(pwdfile, 'w') as f:
f.write(ipautil.ipa_generate_password(pwd_len=40))
os.chmod(pwdfile, 0600)
ipautil.run([paths.CERTUTIL,
"-N",
"-d", paths.IPA_NSSDB_DIR,
"-f", pwdfile])
os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'), 0644)
os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'), 0644)
os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'), 0644)
db.create_db(pwdfile)
os.chmod(os.path.join(db.secdir, 'cert8.db'), 0644)
os.chmod(os.path.join(db.secdir, 'key3.db'), 0644)
os.chmod(os.path.join(db.secdir, 'secmod.db'), 0644)
def find_cert_from_txt(cert, start=0):