IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix uses of O=REALM instead of the configured certificate subject base.

Browse Source 
ticket 2521
This commit is contained in:
Jan Cholasta 2012-03-26 07:11:41 -04:00 committed by Rob Crittenden
parent ef21a286f0
commit bd440d515e
6 changed files with 32 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
ipalib/x509.py
View File

@ -42,15 +42,29 @@ from ipalib import api
from ipalib import _ from ipalib import _
from ipalib import util from ipalib import util
from ipalib import errors from ipalib import errors
from ipalib.dn import DN
PEM = 0 PEM = 0
DER = 1 DER = 1
PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL) PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL)
def valid_issuer(issuer, realm): _subject_base = None
return issuer in ('CN=%s Certificate Authority' % realm,
'CN=Certificate Authority,O=%s' % realm,) def subject_base():
global _subject_base
if _subject_base is None:
config = api.Command['config_show']()['result']
_subject_base = DN(config['ipacertificatesubjectbase'][0])
return _subject_base
def valid_issuer(issuer):
if api.env.ra_plugin == 'dogtag':
return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base())
else:
return DN(issuer) == DN(('CN', '%s Certificate Authority' % api.env.realm))
def strip_header(pem): def strip_header(pem):
""" """
@ -209,7 +223,7 @@ def verify_cert_subject(ldap, hostname, dercert):
issuer = str(nsscert.issuer) issuer = str(nsscert.issuer)
# Handle both supported forms of issuer, from selfsign and dogtag. # Handle both supported forms of issuer, from selfsign and dogtag.
if (not valid_issuer(issuer, api.env.realm)): if (not valid_issuer(issuer)):
raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \ raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
{'issuer' : issuer}) {'issuer' : issuer})

5
make-testcert
View File

@ -97,8 +97,11 @@ def makecert(reqdir):
# Generate NSS cert database to store the private key for our CSR # Generate NSS cert database to store the private key for our CSR
run_certutil(reqdir, ["-N", "-f", pwname]) run_certutil(reqdir, ["-N", "-f", pwname])
res = api.Backend.client.run('config_show')
subject_base = res['result']['ipacertificatesubjectbase'][0]
cert = None cert = None
subject = 'CN=%s,O=%s' % (api.env.host, api.env.realm) subject = 'CN=%s,%s' % (api.env.host, subject_base)
princ = 'unittest/%s@%s' % (api.env.host, api.env.realm) princ = 'unittest/%s@%s' % (api.env.host, api.env.realm)
csr = unicode(generateCSR(reqdir, pwname, subject)) csr = unicode(generateCSR(reqdir, pwname, subject))

4
tests/test_xmlrpc/test_cert.py
View File

@ -28,6 +28,7 @@ from nose.tools import assert_raises # pylint: disable=E0611
from xmlrpc_test import XMLRPC_test, assert_attr_equal from xmlrpc_test import XMLRPC_test, assert_attr_equal
from ipalib import api from ipalib import api
from ipalib import errors from ipalib import errors
from ipalib import x509
import tempfile import tempfile
from ipapython import ipautil from ipapython import ipautil
import nose import nose
@ -74,6 +75,8 @@ class test_cert(XMLRPC_test):
# Create our temporary NSS database # Create our temporary NSS database
self.run_certutil(["-N", "-f", self.pwname]) self.run_certutil(["-N", "-f", self.pwname])
self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
def tearDown(self): def tearDown(self):
super(test_cert, self).tearDown() super(test_cert, self).tearDown()
shutil.rmtree(self.reqdir, ignore_errors=True) shutil.rmtree(self.reqdir, ignore_errors=True)
@ -95,7 +98,6 @@ class test_cert(XMLRPC_test):
""" """
host_fqdn = u'ipatestcert.%s' % api.env.domain host_fqdn = u'ipatestcert.%s' % api.env.domain
service_princ = u'test/%s@%s' % (host_fqdn, api.env.realm) service_princ = u'test/%s@%s' % (host_fqdn, api.env.realm)
subject = DN(('CN',host_fqdn),('O',api.env.realm))
def test_1_cert_add(self): def test_1_cert_add(self):
""" """

8
tests/test_xmlrpc/test_host_plugin.py
View File

@ -252,7 +252,7 @@ class test_host(Declarative):
valid_not_before=fuzzy_date, valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date, valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \ subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)), DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits, serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex, serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash, md5_fingerprint=fuzzy_hash,
@ -284,7 +284,7 @@ class test_host(Declarative):
valid_not_before=fuzzy_date, valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date, valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \ subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)), DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits, serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex, serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash, md5_fingerprint=fuzzy_hash,
@ -483,7 +483,7 @@ class test_host(Declarative):
valid_not_before=fuzzy_date, valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date, valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \ subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)), DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits, serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex, serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash, md5_fingerprint=fuzzy_hash,
@ -513,7 +513,7 @@ class test_host(Declarative):
valid_not_before=fuzzy_date, valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date, valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \ subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)), DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits, serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex, serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash, md5_fingerprint=fuzzy_hash,

4
tests/test_xmlrpc/test_service_plugin.py
View File

@ -379,7 +379,7 @@ class test_service(Declarative):
valid_not_before=fuzzy_date, valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date, valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \ subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)), DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits, serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex, serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash, md5_fingerprint=fuzzy_hash,
@ -407,7 +407,7 @@ class test_service(Declarative):
valid_not_before=fuzzy_date, valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date, valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \ subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)), DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits, serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex, serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash, md5_fingerprint=fuzzy_hash,

2
tests/test_xmlrpc/xmlrpc_test.py
View File

@ -51,7 +51,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=basestring)
# Matches a date, like Tue Apr 26 17:45:35 2016 UTC # Matches a date, like Tue Apr 26 17:45:35 2016 UTC
fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$') fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
fuzzy_issuer = Fuzzy(type=basestring, test=lambda issuer: valid_issuer(issuer, api.env.realm)) fuzzy_issuer = Fuzzy(type=basestring, test=lambda issuer: valid_issuer(issuer))
fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=basestring) fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=basestring)